Detection of Null Pointer Dereference in MediaTek VoLTE Stack Firmware with sipgate and ISMK Stralsund
Together with sipgate and ISMK Stralsund, Gabriel Gegenhuber, researcher at SBA Research and University of Vienna, and Michael Pucher, researcher at University of Vienna, discovered and investigated a vulnerability in the Voice of LTE (VoLTE) stack that is broadly used within MediaTek-based smartphones.


© Niklas Schnaubelt
In May 2025, sipgate uncovered a critical firmware vulnerability in the VoLTE (Voice over LTE) stack on smartphones using MediaTek basebands. While rolling out VoLTE/IMS services as an MVNO, sipgate encountered a strange issue: several phone models (e.g., Huawei, Xiaomi, Gigaset, Motorola) failed to respond to incoming SIP INVITE messages despite appearing registered and fully connected. Outgoing calls worked only via 2G, causing confusion and degraded call security.
© sipgate
Upon deeper investigation using test devices and log analysis, sipgate found that these phones crashed and restarted their internal volte_stack
process when receiving malformed SIP NOTIFY messages that lacked a mandatory “Contact” header. The missing header—omitted by their IMS core system—led to a null pointer dereference crash in the firmware.
To resolve and report the issue, sipgate coordinated with their IMS core vendor and contacted MediaTek and Motorola. Gabriel Gegenhuber, Michael Pucher, and ISMK Stralsund were instrumental in reverse-engineering the firmware and identifying the precise cause of the crash, including its reproducibility in Voice over WiFi (VoWiFi) environments.
The vulnerability, though requiring privileged IMS access, could be exploited for denial-of-service or call downgrade attacks. With the help of SBA Research, sipgate was able to responsibly disclose the issue, contributing to improved firmware resilience and future-proofing for VoLTE infrastructures.
For further insights listen to the Podcast “Risikozone” from ISMK on SIP Happens: No Contact, No Service (German) with Gabriel Gegenhuber.
Links
Blog entry sipgate
CVE-2025-20647
Chipsets
MediaTek’s monthly security annoucement
MediaTek security acknowledges
Further Risikozone Podcast on Security and Research in Mobile Communications: From IMSI Catchers, MobileAtlas, VoWiFi, and Static Keys (German)