CVE-2026-20450 Overview
CVE-2026-20450 is a denial of service vulnerability in the MediaTek Modem component caused by incorrect error handling [CWE-617]. An attacker operating a rogue base station can trigger a system crash on a connected User Equipment (UE) device. Exploitation requires no user interaction and no additional execution privileges. The vulnerability affects a broad range of MediaTek chipsets used in smartphones, tablets, and IoT devices. MediaTek tracks this issue as MSV-6100 and resolved it with patch ID MOLY01753620, published in the May 2026 Product Security Bulletin.
Critical Impact
A nearby attacker running a rogue base station can remotely crash the modem subsystem of an affected device, disrupting cellular connectivity until the device recovers.
Affected Products
- MediaTek modem firmware across the MT2735/MT2737, MT6xxx, and MT8xxx chipset families
- Smartphones, tablets, and connected devices using vulnerable MediaTek baseband modems
- Devices running modem builds prior to patch ID MOLY01753620
Discovery Timeline
- 2026-05-04 - CVE-2026-20450 published to NVD
- 2026-05-04 - MediaTek releases security patch via May 2026 Product Security Bulletin
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-20450
Vulnerability Analysis
The vulnerability resides in the MediaTek Modem firmware, which implements cellular protocol stacks for the affected chipsets. The flaw is classified as a reachable assertion or unreachable code path under [CWE-617], where unexpected protocol input drives the modem into an error state it does not handle correctly. When the malformed condition is reached, the modem subsystem crashes, terminating cellular service on the device.
Because exploitation occurs over the cellular radio interface, the attack vector is adjacent network and requires the victim UE to attach to attacker-controlled radio infrastructure. No authentication or user interaction is required, and confidentiality and integrity are not impacted — only availability.
Root Cause
The modem firmware fails to correctly handle a specific error condition during cellular signaling. When the modem processes the unexpected message or state from the network, the missing or improper error path triggers an abnormal termination of the modem process. MediaTek addressed the defect under issue ID MSV-6100 with patch MOLY01753620.
Attack Vector
An attacker stands up a rogue base station within radio range of the target device and induces the UE to attach. Once connected, the attacker transmits crafted signaling that drives the modem through the unhandled error path. The modem subsystem crashes, causing loss of cellular voice and data service. Recovery typically requires the modem to restart, and repeated transmission can sustain the denial-of-service condition while the victim remains in range of the rogue cell.
No public proof-of-concept code or exploit has been released for CVE-2026-20450 at the time of publication. Technical specifics are described in the MediaTek Security Bulletin May 2026.
Detection Methods for CVE-2026-20450
Indicators of Compromise
- Repeated, unexplained modem resets or radio interface restarts on affected MediaTek-based devices
- Sudden loss of cellular service when a device is in proximity to an unfamiliar cell tower or unknown PLMN identifier
- Modem crash logs or kernel messages referencing the MOLY/Modem stack on devices without the May 2026 MediaTek patch
Detection Strategies
- Inventory mobile fleet devices to identify MediaTek chipsets in scope (MT2735, MT2737, MT6xxx, MT8xxx series) and verify modem firmware build against the May 2026 patch level
- Monitor mobile device management (MDM) telemetry for abnormal frequencies of cellular disconnects or modem reboot events
- Use radio frequency monitoring in sensitive facilities to detect unauthorized base stations operating on commercial cellular bands
Monitoring Recommendations
- Correlate device-side modem crash signals with location data to identify clustered failures suggesting a rogue base station
- Track MediaTek security bulletin advisories and align device patch SLAs with vendor release cadence
- For high-risk users, enable carrier-side anomaly detection for unusual attachment patterns to unknown cells
How to Mitigate CVE-2026-20450
Immediate Actions Required
- Apply the MediaTek modem firmware update containing patch ID MOLY01753620 as soon as it is delivered through the device OEM
- Identify all devices using affected MediaTek chipsets and prioritize patch deployment for high-value users and executives
- For users in high-risk environments, restrict cellular use until firmware updates are installed or use devices on patched chipsets
Patch Information
MediaTek published the fix in the MediaTek Security Bulletin May 2026 under patch ID MOLY01753620 and issue ID MSV-6100. Device manufacturers must integrate the patched modem image into their OTA updates. Users should install the OEM update that references the May 2026 MediaTek patch level.
Workarounds
- No vendor-supplied workaround exists; firmware patching is the only durable remediation
- Where feasible, lock devices to trusted carrier networks and disable automatic attachment to unknown cells
- In sensitive locations, use Faraday enclosures or RF-shielded rooms to prevent UE attachment to rogue base stations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
