CVE-2026-20420 Overview
CVE-2026-20420 is an Out-of-Bounds Read vulnerability affecting MediaTek modem firmware across a wide range of chipsets. The vulnerability exists in the modem component where incorrect error handling can lead to a system crash. An attacker controlling a rogue base station can exploit this vulnerability to cause remote denial of service on affected devices without requiring any user interaction or additional execution privileges.
Critical Impact
Remote denial of service attack possible through rogue base station, affecting mobile devices using MediaTek modem chipsets across NR15, NR16, NR17, and numerous MT6xxx/MT8xxx series processors.
Affected Products
- MediaTek NR15, NR16, NR17, NR17R modem firmware
- MediaTek MT2735, MT2737 standalone modems
- MediaTek MT6xxx series SoCs (MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993)
- MediaTek MT8676, MT8791 tablet/IoT processors
Discovery Timeline
- February 2, 2026 - CVE-2026-20420 published to NVD
- February 3, 2026 - Last updated in NVD database
Technical Details for CVE-2026-20420
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read), occurring within the modem firmware's error handling routines. The flaw allows an attacker to trigger improper memory access by sending specially crafted cellular signaling messages from a rogue base station to a connected User Equipment (UE). The modem firmware fails to properly validate and handle certain error conditions, leading to read operations beyond allocated memory boundaries, which ultimately causes a system crash.
The attack scenario involves a User Equipment (UE) - such as a smartphone or tablet using an affected MediaTek modem - connecting to a malicious base station controlled by the attacker. Once connected, the attacker can send malformed signaling data that exploits the improper error handling in the modem firmware, resulting in denial of service without requiring any privileges on the target device.
Root Cause
The root cause of this vulnerability is incorrect error handling within the MediaTek modem firmware. When processing cellular network signaling data, the modem fails to properly validate boundary conditions before performing read operations. This lack of proper input validation allows malformed data from a rogue base station to trigger an out-of-bounds memory read, resulting in a system crash. The vulnerability is tracked internally by MediaTek as Patch ID MOLY01738313 and Issue ID MSV-5935.
Attack Vector
The attack vector for CVE-2026-20420 is network-based, requiring the target device to connect to an attacker-controlled rogue base station. This can be achieved through various techniques including:
- Setting up a stronger signal fake base station in proximity to the target
- Exploiting cellular network selection mechanisms to force device handover
- Targeting devices in areas with poor legitimate network coverage
Once the UE establishes a connection to the rogue base station, the attacker transmits specially crafted cellular protocol messages designed to trigger the incorrect error handling path in the modem firmware. The attack requires no user interaction and no special privileges, making it particularly dangerous in targeted denial of service scenarios.
Detection Methods for CVE-2026-20420
Indicators of Compromise
- Unexpected device reboots or modem crashes without apparent cause
- Unusual cellular network disconnection patterns followed by reconnection attempts
- Modem firmware crash logs indicating memory access violations or segmentation faults
- System logs showing abnormal cellular signaling processing errors
Detection Strategies
- Monitor device crash reports for modem-related exceptions, particularly those involving memory access errors
- Implement cellular network anomaly detection to identify suspicious base station behavior in enterprise environments
- Deploy mobile device management (MDM) solutions to track unusual device reboot patterns across managed fleets
- Utilize network-level monitoring to detect potential rogue base station activity near critical infrastructure
Monitoring Recommendations
- Enable detailed modem logging on test devices to capture crash diagnostics when investigating potential exploitation
- Implement enterprise mobility management solutions to aggregate and analyze device health metrics across the organization
- Monitor for public disclosure of proof-of-concept exploits targeting this vulnerability
- Track MediaTek security bulletins for additional guidance and firmware update availability
How to Mitigate CVE-2026-20420
Immediate Actions Required
- Apply the latest firmware updates from device manufacturers that incorporate MediaTek's patch MOLY01738313
- Prioritize patching for devices used in sensitive environments or by high-value targets
- Contact device OEMs to determine patch availability timelines for specific device models
- Consider implementing cellular network access restrictions for high-security scenarios until patching is complete
Patch Information
MediaTek has released a security patch addressing this vulnerability, tracked as Patch ID MOLY01738313. The fix is documented in the MediaTek Security Bulletin for February 2026. Device manufacturers using affected MediaTek chipsets must integrate this patch into their firmware updates, which are then distributed to end users through standard OTA (over-the-air) update mechanisms.
Organizations should check with their device manufacturers for specific patch availability dates, as the timeline varies depending on the OEM's firmware release schedule.
Workarounds
- Avoid connecting to unknown or untrusted cellular networks, particularly in high-risk geographic areas
- When possible, prefer Wi-Fi connectivity over cellular in sensitive environments until the device is patched
- Consider implementing mobile threat defense solutions that can detect rogue base station activity
- For enterprise deployments, segment network access for unpatched devices to minimize potential impact
# Verify MediaTek modem firmware version (Android devices)
adb shell getprop gsm.version.baseband
# Check for pending system updates
adb shell pm list packages -f | grep -i update
# Review modem crash logs for investigation
adb logcat -d | grep -i "modem\|baseband\|ril"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
