CVE-2026-20430 Overview
CVE-2026-20430 is an out-of-bounds write vulnerability in MediaTek wireless LAN access point firmware. The flaw stems from an incorrect bounds check in the WLAN AP firmware code path. An attacker on an adjacent network can trigger memory corruption without user interaction or prior authentication. Successful exploitation results in remote privilege escalation on the affected device.
The vulnerability affects multiple MediaTek Wi-Fi chipsets commonly deployed in consumer and enterprise routers, including units running OpenWrt. MediaTek tracks the fix as Patch ID WCNCR00467553 and Issue ID MSV-5151.
Critical Impact
An unauthenticated attacker within wireless range can corrupt memory in the WLAN AP firmware and escalate privileges on affected MediaTek-based devices.
Affected Products
- MediaTek Software Development Kit
- MediaTek chipsets: MT6890, MT7915, MT7916, MT7981, MT7986
- OpenWrt versions 19.07.0, 21.02.0, and 23.05.0
Discovery Timeline
- 2026-03-02 - CVE-2026-20430 published to NVD
- 2026-03-02 - MediaTek publishes Product Security Bulletin for March 2026
- 2026-03-02 - Last updated in NVD database
Technical Details for CVE-2026-20430
Vulnerability Analysis
The vulnerability is an out-of-bounds write classified under [CWE-787]. The defect lives in the WLAN access point firmware shipped with the MediaTek Software Development Kit. The firmware performs an incorrect bounds check before writing data into a buffer. As a result, attacker-controlled input can write past the intended buffer boundary and corrupt adjacent memory structures used by the firmware.
Because the vulnerable code runs inside the wireless AP firmware, exploitation grants the attacker execution context at the firmware level. This enables privilege escalation on the device without requiring any existing execution privileges. The attack vector is adjacent network, meaning the attacker must be within radio range of the affected access point. No user interaction is required to trigger the condition.
Devices built on the MT7915, MT7916, MT7981, MT7986, and MT6890 chipsets are widely used in Wi-Fi 6 routers and OpenWrt-based platforms. This expands the exposure footprint across consumer, small business, and enterprise networking gear.
Root Cause
The root cause is an incorrect bounds check in the WLAN AP firmware that fails to constrain a length or index value before performing a memory write. The check does not properly validate attacker-influenced input against the destination buffer size, allowing the write operation to extend beyond the allocated region.
Attack Vector
An attacker positioned within wireless range of the affected access point can transmit crafted Wi-Fi frames that reach the vulnerable parsing or handling routine in the AP firmware. No association, authentication, or user interaction is required. The crafted frames cause the firmware to write beyond the bounds of a buffer, corrupting memory and enabling privilege escalation on the device. Refer to the MediaTek Security Bulletin March 2026 for vendor technical details.
Detection Methods for CVE-2026-20430
Indicators of Compromise
- Unexpected reboots, crashes, or watchdog resets on MediaTek-based access points and routers.
- Anomalous wireless frames containing oversized or malformed fields directed at the AP management interface.
- Unauthorized configuration changes or new administrative sessions appearing on affected devices.
- Outbound connections from the router to unknown destinations following abnormal wireless activity.
Detection Strategies
- Monitor router and AP system logs for kernel panics, firmware assertions, or repeated WLAN driver restarts.
- Inspect wireless IDS or WIPS telemetry for malformed management or control frames targeting affected SSIDs.
- Correlate device firmware versions against the MediaTek March 2026 bulletin to identify unpatched assets.
- Track integrity of router configuration files and credentials to detect post-exploitation tampering.
Monitoring Recommendations
- Centralize syslog from OpenWrt and vendor firmware running on MT7915, MT7916, MT7981, MT7986, and MT6890 platforms.
- Alert on repeated wireless driver faults, unexpected privilege transitions, or new processes spawned on the AP.
- Baseline normal wireless management frame patterns and flag deviations from authorized clients.
How to Mitigate CVE-2026-20430
Immediate Actions Required
- Inventory all MediaTek-based access points and routers, including OpenWrt deployments on affected chipsets.
- Apply the MediaTek firmware update referenced by Patch ID WCNCR00467553 (Issue ID MSV-5151) as soon as vendor builds are available.
- Restrict physical and wireless proximity access to high-value access points until patches are deployed.
- Disable unnecessary radios or guest networks on exposed devices to reduce the attack surface.
Patch Information
MediaTek published the fix in its MediaTek Security Bulletin March 2026 under Patch ID WCNCR00467553 and Issue ID MSV-5151. Downstream vendors and OpenWrt maintainers must integrate the MediaTek SDK update into device firmware images. OpenWrt users on releases 19.07.0, 21.02.0, and 23.05.0 should track upstream advisories and upgrade to firmware builds incorporating the patched MediaTek driver and AP firmware.
Workarounds
- Reduce wireless transmit power and physically isolate access points to limit adjacent-network exposure.
- Segment management VLANs so that compromise of an AP does not grant access to sensitive internal networks.
- Where feasible, disable affected radios on devices that cannot be promptly updated.
# Example: check OpenWrt release and disable a vulnerable radio until patched
cat /etc/openwrt_release
uci set wireless.radio0.disabled='1'
uci commit wireless
wifi reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
