CVE-2026-20431: Mediatek Mt6813 Firmware DOS Vulnerability

CVE-2026-20431 Overview

CVE-2026-20431 is a denial-of-service vulnerability in the MediaTek Modem component caused by a logic error. An attacker operating a rogue base station within radio range can trigger a system crash on a connected User Equipment (UE). Exploitation requires no user interaction and no additional execution privileges. The flaw is tracked by MediaTek under Patch ID MOLY01106496 and Issue ID MSV-4467, and it affects a broad range of MediaTek smartphone and platform System-on-Chips (SoCs). The weakness is classified under [CWE-770: Allocation of Resources Without Limits or Throttling].

Critical Impact

An adjacent attacker controlling a rogue base station can remotely crash the modem of a connected device, producing high availability impact without any user interaction.

Affected Products

• MediaTek MT6813, MT6815, MT6835, MT6878, MT6897, MT6899, MT6986, MT6991, MT6993 smartphone SoCs and firmware
• MediaTek MT8668, MT8676, MT8678, MT8755, MT8775, MT8792, MT8793 platform SoCs and firmware
• MediaTek MT8863, MT8873, MT8883 platform SoCs and firmware

Discovery Timeline

• 2026-04-07 - CVE-2026-20431 published to NVD
• 2026-04-07 - MediaTek publishes Product Security Bulletin (April 2026) referencing Patch ID MOLY01106496
• 2026-04-10 - Last updated in NVD database

Technical Details for CVE-2026-20431

Vulnerability Analysis

The vulnerability resides in the cellular Modem stack shipped with multiple MediaTek SoCs. A logic error in the modem's handling of signaling messages received from the serving base station leads to an unrecoverable state and a system crash. Because the issue is reached through over-the-air radio signaling, an attacker does not need network credentials, user interaction, or local code execution on the device. The impact is confined to availability — confidentiality and integrity of device data are not affected — but the modem crash interrupts cellular service and can force a device reboot.

Root Cause

The root cause is a logic flaw in the modem firmware when processing attacker-controlled protocol input from a base station. Mapped to [CWE-770], the condition reflects insufficient validation or throttling of resources tied to specific signaling paths, allowing a single malformed or unexpected sequence to crash the modem subsystem. MediaTek's fix is delivered via firmware patch MOLY01106496.

Attack Vector

Exploitation requires adjacency to the victim — specifically, that the target UE attaches to a rogue base station operated by the attacker. Rogue base stations can be built from commodity software-defined radios and open-source cellular stacks. Once the UE camps on the malicious cell, the attacker delivers the triggering signaling message, and the modem crashes. The attack is suited to localized disruption of mobile connectivity in a specific physical area, such as a venue, building, or convoy route.

No public proof-of-concept exploit is available for CVE-2026-20431, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the MediaTek Security Bulletin April 2026 for vendor technical details.

Detection Methods for CVE-2026-20431

Indicators of Compromise

• Unexpected modem resets, baseband crashes, or repeated cellular radio re-attach events on affected MediaTek devices.
• Device logs or carrier-side records showing UEs attaching to unknown Public Land Mobile Network (PLMN) identifiers or cells with anomalous cell IDs and signal characteristics.
• Clusters of cellular service interruptions geographically correlated to a specific location, suggesting a localized rogue base station.

Detection Strategies

• Monitor mobile device management (MDM) telemetry for elevated rates of modem crash reports, baseband ramdumps, or unexplained reboots on MediaTek-based fleets.
• Use cellular threat detection tooling capable of identifying rogue base stations through neighbor cell anomalies, unexpected downgrade requests, or invalid network operator information.
• Correlate user-reported loss of cellular service in defined geographic areas with timestamps of baseband resets across multiple devices.

Monitoring Recommendations

• Aggregate baseband crash logs from enterprise-managed MediaTek devices into a centralized log platform for trend analysis.
• Track patch level of MediaTek modem firmware against MediaTek's April 2026 Security Bulletin to identify unpatched hosts.
• Establish baseline cellular attach behavior for high-value users so deviations such as repeated attaches to unknown carriers can be flagged.

How to Mitigate CVE-2026-20431

Immediate Actions Required

• Identify all enterprise and BYOD devices using affected MediaTek SoCs listed in the April 2026 advisory.
• Apply the device OEM firmware update incorporating MediaTek Patch ID MOLY01106496 as soon as it becomes available from the handset or platform vendor.
• For high-risk users, restrict cellular roaming to trusted operators and prefer Wi-Fi calling where feasible until patches are deployed.

Patch Information

MediaTek has released a firmware fix tracked as Patch ID MOLY01106496 (Issue ID MSV-4467), described in the MediaTek Product Security Bulletin April 2026. The patch is distributed to device manufacturers, who must integrate it into their own firmware updates. Administrators should track each OEM's release schedule for the affected SoC models.

Workarounds

• No software workaround removes the underlying logic flaw; the modem firmware patch is required.
• Reduce exposure by disabling 2G/legacy radio access technologies where the device platform supports it, lowering the chance of attachment to a rogue cell.
• Educate high-value users to recognize sudden, repeated loss of cellular service in specific locations and to power-cycle or move out of the affected area.

# Example: query installed MediaTek baseband / firmware build on Android via adb
adb shell getprop | grep -Ei "ro.build.version|gsm.version.baseband|ro.boot.hardware"