CVE-2026-20449: Mediatek Mt6763 Firmware DOS Vulnerability

CVE-2026-20449 Overview

CVE-2026-20449 is a heap buffer overflow vulnerability [CWE-120] in the MediaTek Modem component affecting a wide range of MediaTek system-on-chip (SoC) firmware. An attacker operating a rogue base station within radio range of a vulnerable user equipment (UE) can trigger a system crash, resulting in remote denial of service. Exploitation requires no user interaction and no additional execution privileges. MediaTek tracks the fix as Patch ID MOLY01760138 and Issue ID MSV-6148, published in the MediaTek Product Security Bulletin for May 2026.

Critical Impact

A rogue base station within radio range can crash the modem of an affected MediaTek-powered device, disrupting cellular connectivity without any interaction from the user.

Affected Products

• MediaTek 4G/5G smartphone SoCs including MT6739, MT6761–MT6789, MT6813–MT6899, MT6980–MT6993
• MediaTek automotive and IoT modem platforms including MT2735, MT2737
• MediaTek connected device SoCs including MT8668–MT8893 series firmware

Discovery Timeline

• 2026-05-04 - CVE-2026-20449 published to NVD
• 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-20449

Vulnerability Analysis

The flaw resides in the cellular modem firmware that runs on MediaTek baseband processors. The modem processes signaling messages received over the air interface from the serving base station. A malformed or oversized field in one of these messages causes the modem to write past the bounds of a heap-allocated buffer. The corrupted heap state leads to a system crash and loss of cellular service. Because the vulnerability is reachable before the UE has authenticated the network, an attacker can deliver the malicious payload from a rogue base station the device attaches to during cell selection or reselection.

The attack surface is the radio (adjacent network) interface, which limits exploitation to attackers within RF range of the target. Impact is restricted to availability — the modem crash forces a baseband reset and disrupts voice, SMS, and data connectivity until the device recovers.

Root Cause

The root cause is improper validation of the length or structure of an attacker-controlled field in a modem signaling message. The modem allocates a heap buffer based on assumed bounds, then copies inbound data without enforcing those bounds, producing a classic heap buffer overflow [CWE-120]. MediaTek's fix, identified as MOLY01760138, adds the missing length checks in the modem firmware codebase.

Attack Vector

Exploitation requires the attacker to operate a rogue base station broadcasting on a frequency the target UE will attach to. Once the UE camps on the rogue cell, the attacker sends a crafted signaling message containing the malformed field. No SIM credentials, user prompts, or prior pairing are required. The attacker cannot read or modify user data through this flaw — the only observed outcome is a modem crash and resulting denial of service.

No public proof-of-concept code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-20449

Indicators of Compromise

• Unexpected modem resets or baseband panics correlated with the device entering range of an unknown cell tower.
• Sudden, repeated loss of cellular service (no signal, emergency calls only) on MediaTek-powered devices in a localized area.
• Device logs (tombstones, modem_log, mdlog) referencing crashes in modem signaling handlers around the time of attachment.

Detection Strategies

• Mobile device management (MDM) telemetry: monitor for elevated baseband crash counts and reboot events on fleets of MediaTek devices.
• Cellular environment monitoring: use IMSI-catcher detection tooling or rogue base station scanners in sensitive locations to flag unauthorized cells broadcasting target PLMNs.
• Crash log triage: investigate any modem ramdumps that show heap corruption signatures within the layer 3 signaling stack.

Monitoring Recommendations

• Track MediaTek security bulletin advisories and correlate device firmware versions in your inventory against the patched build for MOLY01760138.
• Aggregate baseband crash reports across managed mobile endpoints to detect clustered failures suggestive of an active rogue cell.
• Validate that OEM monthly security patch level (SPL) on deployed devices is May 2026 or later.

How to Mitigate CVE-2026-20449

Immediate Actions Required

• Apply the May 2026 (or later) Android/OEM security patch level on all MediaTek-powered devices in your inventory.
• Identify devices that cannot receive vendor updates and prioritize replacement, especially for users in higher-risk roles or locations.
• Educate high-risk users to favor Wi-Fi calling or to disable 2G/3G fallback where the option is exposed by the OEM.

Patch Information

MediaTek addressed CVE-2026-20449 with Patch ID MOLY01760138 (Issue ID MSV-6148), distributed through the MediaTek Product Security Bulletin May 2026. The fix is delivered to end users via OEM firmware updates that incorporate MediaTek's modem patch into the device security patch level.

Workarounds

• No vendor-supplied software workaround eliminates the flaw — only the firmware update remediates the vulnerability.
• Reduce exposure by limiting use of affected devices in untrusted RF environments until patches are installed.
• Where supported by the OEM, restrict the device to 5G standalone (SA) and disable legacy RAT fallback to shrink the attack surface for rogue base stations.

# Verify the Android security patch level on a managed device via adb
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-05-01 or later