CVE-2026-20421 Overview
CVE-2026-20421 is an Out-of-Bounds Read vulnerability (CWE-125) affecting MediaTek modem chipsets used in numerous mobile devices. The vulnerability exists in the modem firmware and allows remote attackers to trigger a system crash through improper input validation. When a User Equipment (UE) device connects to a rogue base station controlled by an attacker, specially crafted input can cause the modem to read beyond allocated memory boundaries, resulting in a denial of service condition.
This vulnerability is particularly concerning because it requires no user interaction and no additional execution privileges to exploit. The attack can be carried out remotely over the network interface, making it a significant threat to mobile device availability.
Critical Impact
Remote attackers operating a rogue base station can cause affected MediaTek-powered mobile devices to crash, resulting in complete loss of cellular connectivity and potential device instability.
Affected Products
- MediaTek NR15 (5G modem software)
- MediaTek MT2735 (5G modem chipset)
- MediaTek MT6833, MT6853, MT6855, MT6873, MT6875, MT6877 (Dimensity series SoCs)
- MediaTek MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893 (Dimensity 5G SoCs)
- MediaTek MT8791 (5G modem chipset)
Discovery Timeline
- February 2, 2026 - CVE-2026-20421 published to NVD
- February 3, 2026 - Last updated in NVD database
Technical Details for CVE-2026-20421
Vulnerability Analysis
This vulnerability stems from improper input validation within the MediaTek modem firmware. The modem component fails to properly validate input data received during cellular network communication, leading to an out-of-bounds read condition (CWE-125). When exploited, the vulnerability causes the modem subsystem to crash, resulting in a denial of service that affects the device's cellular connectivity.
The vulnerability is tracked internally by MediaTek as Patch ID: MOLY01738293 and Issue ID: MSV-5922. The attack requires the victim's device to connect to a malicious base station, which could be deployed using software-defined radio equipment in proximity to target devices.
Root Cause
The root cause of CVE-2026-20421 is insufficient bounds checking on input data processed by the modem firmware. When the modem receives certain malformed or specially crafted signaling messages from a base station, it attempts to read memory beyond the allocated buffer boundaries. This out-of-bounds read operation triggers a fault condition that causes the modem subsystem to crash.
The lack of proper input sanitization in the baseband processing code allows an attacker-controlled base station to send malicious data that exploits this parsing weakness.
Attack Vector
The attack vector for this vulnerability involves setting up a rogue cellular base station (also known as a "stingray" or IMSI catcher type device) within radio range of target devices. The attack flow is as follows:
- The attacker deploys a rogue base station that masquerades as a legitimate cellular tower
- Target devices with affected MediaTek modem chipsets connect to the rogue base station
- The attacker sends specially crafted signaling messages to the connected device
- The modem firmware's improper input validation leads to an out-of-bounds read
- The modem crashes, causing loss of cellular connectivity
The vulnerability mechanism involves malformed data being passed to the modem's signaling parser without adequate boundary validation. When the parser attempts to process fields that reference memory offsets beyond the input buffer, the out-of-bounds read triggers a system fault. Technical details regarding the specific signaling messages and data structures involved can be found in the MediaTek Product Security Bulletin.
Detection Methods for CVE-2026-20421
Indicators of Compromise
- Unexpected modem crashes or cellular connectivity losses on devices using affected MediaTek chipsets
- Device logs showing modem subsystem restarts or crash dumps related to baseband processing
- Multiple devices in the same geographic area experiencing simultaneous cellular connectivity issues
- Presence of unknown or suspicious cellular base stations in the RF environment
Detection Strategies
- Monitor device logs for modem crash events and baseband fault indicators specific to MediaTek modems
- Implement RF monitoring to detect rogue base stations or anomalous cellular signaling in sensitive areas
- Use mobile device management (MDM) solutions to aggregate and analyze device health telemetry across a fleet
- Deploy network-based detection for unusual cellular protocol behavior or malformed signaling messages
Monitoring Recommendations
- Enable verbose logging on affected devices to capture modem subsystem events and crash diagnostics
- Establish baseline cellular connectivity metrics to identify anomalous disconnection patterns
- Implement alerting for repeated modem restarts across multiple devices in proximity
- Consider deploying cellular intrusion detection systems in high-security environments
How to Mitigate CVE-2026-20421
Immediate Actions Required
- Identify all devices in your organization using affected MediaTek chipsets and prioritize them for firmware updates
- Contact device manufacturers to obtain the latest firmware containing the MediaTek security patch
- In high-risk environments, consider temporarily using alternative connectivity methods (Wi-Fi) until patches are applied
- Educate users about the risk and symptoms of this vulnerability
Patch Information
MediaTek has released a security patch addressing this vulnerability, tracked as Patch ID: MOLY01738293. The patch is detailed in the MediaTek Product Security Bulletin for February 2026.
Device manufacturers integrating MediaTek chipsets must incorporate this patch into their firmware updates. End users should contact their device manufacturer or carrier to obtain the patched firmware version for their specific device model. Apply firmware updates as soon as they become available from your device manufacturer.
Workarounds
- Avoid connecting to untrusted or unknown cellular networks, particularly in high-risk locations
- Where feasible, use Wi-Fi connectivity instead of cellular data in sensitive environments
- Implement network selection policies that restrict automatic connection to cellular networks if supported by your MDM solution
- Physical security measures to prevent attackers from deploying rogue base stations near sensitive facilities
Device firmware updates remain the only complete solution, as the vulnerability exists at the modem firmware level. Configuration-based mitigations are limited for baseband vulnerabilities, making timely patching essential.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
