CVE-2026-20422 Overview
CVE-2026-20422 is a denial of service vulnerability affecting the modem component in a wide range of MediaTek chipsets. The vulnerability arises from improper input validation in the modem firmware, which can be exploited to cause a system crash when a user equipment (UE) device connects to a rogue base station controlled by an attacker. This attack requires no user interaction and no additional execution privileges, making it particularly concerning for mobile devices in areas where attackers could deploy malicious cellular infrastructure.
Critical Impact
Remote denial of service affecting mobile devices using MediaTek modem chipsets when connected to attacker-controlled rogue base stations. No user interaction required for exploitation.
Affected Products
- MediaTek NR15, NR16, NR17, NR17R (5G NR modem software)
- MediaTek Dimensity Series (MT6833, MT6853, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT6985, MT6989, and others)
- MediaTek MT87xx Series tablet chipsets (MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8775, MT8791, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893)
Discovery Timeline
- February 2, 2026 - CVE-2026-20422 published to NVD
- February 3, 2026 - Last updated in NVD database
Technical Details for CVE-2026-20422
Vulnerability Analysis
This vulnerability is classified under CWE-617 (Reachable Assertion), indicating that the modem firmware contains an assertion or validation check that can be triggered by external input, leading to an abrupt termination of the modem process. The flaw exists in the baseband modem component responsible for processing cellular network communications.
The vulnerability is particularly dangerous because it can be exploited remotely through the cellular radio interface. An attacker operating a rogue base station can send specially crafted signaling messages to devices within radio range. When a vulnerable MediaTek-powered device attempts to connect to or processes messages from this malicious base station, the improper input validation causes the modem to crash, resulting in a denial of service condition.
The attack does not require the attacker to have any prior privileges on the target device, and the victim does not need to perform any action beyond being within range of the rogue base station. This makes the vulnerability suitable for targeted attacks in specific geographic locations.
Root Cause
The root cause of CVE-2026-20422 is improper input validation in the MediaTek modem firmware. The modem component fails to adequately validate input received during cellular network communications, particularly when processing signaling messages from base stations. When malformed or unexpected data is received, the firmware triggers an assertion failure or exception that causes the entire modem subsystem to crash.
The vulnerability is tracked internally by MediaTek as Patch ID: MOLY00827332 and Issue ID: MSV-5919.
Attack Vector
The attack vector for this vulnerability involves deploying a rogue cellular base station (also known as a fake base station, IMSI catcher, or stingray device). The attack flow proceeds as follows:
- The attacker sets up a rogue base station broadcasting stronger signals than legitimate cell towers in the target area
- Vulnerable devices with MediaTek modem chipsets automatically connect to the rogue base station following standard cellular protocols
- The attacker sends specially crafted signaling messages containing malformed input data
- The MediaTek modem firmware processes this input without proper validation
- An assertion failure or exception is triggered, causing the modem to crash
- The device loses cellular connectivity, resulting in denial of service
This attack can be repeated continuously, preventing affected devices from maintaining stable cellular connections while within range of the malicious base station.
Detection Methods for CVE-2026-20422
Indicators of Compromise
- Unexpected modem crashes or cellular connectivity loss in devices using MediaTek chipsets
- Frequent device reboots or modem subsystem restarts in specific geographic locations
- Anomalous cellular signal patterns suggesting presence of rogue base stations
- Device logs showing modem assertion failures or firmware exceptions
Detection Strategies
- Monitor fleet devices for patterns of modem crashes or cellular connectivity issues concentrated in specific areas
- Implement mobile threat detection solutions capable of identifying rogue base station activity
- Deploy network monitoring to detect anomalous cellular infrastructure in sensitive locations
- Analyze device telemetry for modem subsystem restart patterns that could indicate exploitation
Monitoring Recommendations
- Enable detailed logging on mobile device management (MDM) platforms to capture modem crash events
- Implement alerting for patterns of cellular connectivity issues across managed device fleets
- Consider deploying RF monitoring solutions in high-security environments to detect rogue base stations
- Coordinate with cellular carriers to report suspected fake base station activity
How to Mitigate CVE-2026-20422
Immediate Actions Required
- Apply firmware updates from MediaTek and device OEMs as they become available
- Review the MediaTek Product Security Bulletin for February 2026 for specific patch information
- Inventory all devices using affected MediaTek chipsets within your organization
- Consider restricting use of vulnerable devices in high-risk environments until patches are applied
Patch Information
MediaTek has addressed this vulnerability in their February 2026 security bulletin. The patch is tracked as MOLY00827332. Device manufacturers (OEMs) will need to integrate this patch into their firmware updates and distribute them to end users through their normal update channels.
Users should check with their device manufacturer for firmware updates that address this vulnerability. For Android devices, this fix may be distributed through monthly security patch updates once integrated by the device OEM.
Workarounds
- Avoid connecting to untrusted or unknown cellular networks when possible
- In high-security environments, consider using devices with alternative modem chipsets until patches are available
- Enable WiFi calling as a backup communication method in case of cellular connectivity disruption
- For enterprise deployments, consider mobile threat defense solutions that can detect rogue base station activity
# Check MediaTek chipset information on Android devices (requires ADB access)
adb shell getprop ro.hardware
adb shell getprop ro.board.platform
# Review modem logs for crash indicators
adb logcat -b radio | grep -i "crash\|assertion\|exception"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
