Detection of Null Pointer Dereference in MediaTek VoLTE Stack Firmware with sipgate and ISMK Stralsund

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

June 6, 2025

Together with sipgate and ISMK Stralsund, Gabriel Gegenhuber, researcher at SBA Research and University of Vienna, and Michael Pucher, researcher at University of Vienna, discovered and investigated a vulnerability in the Voice of LTE (VoLTE) stack that is broadly used within MediaTek-based smartphones.

half body portrait of man © Niklas Schnaubelt

In May 2025, sipgate uncovered a critical firmware vulnerability in the VoLTE (Voice over LTE) stack on smartphones using MediaTek basebands. While rolling out VoLTE/IMS services as an MVNO, sipgate encountered a strange issue: several phone models (e.g., Huawei, Xiaomi, Gigaset, Motorola) failed to respond to incoming SIP INVITE messages despite appearing registered and fully connected. Outgoing calls worked only via 2G, causing confusion and degraded call security.

Upon deeper investigation using test devices and log analysis, sipgate found that these phones crashed and restarted their internal volte_stack process when receiving malformed SIP NOTIFY messages that lacked a mandatory “Contact” header. The missing header—omitted by their IMS core system—led to a null pointer dereference crash in the firmware.

To resolve and report the issue, sipgate coordinated with their IMS core vendor and contacted MediaTek and Motorola. Gabriel Gegenhuber, Michael Pucher, and ISMK Stralsund were instrumental in reverse-engineering the firmware and identifying the precise cause of the crash, including its reproducibility in Voice over WiFi (VoWiFi) environments.

The vulnerability, though requiring privileged IMS access, could be exploited for denial-of-service or call downgrade attacks. With the help of SBA Research, sipgate was able to responsibly disclose the issue, contributing to improved firmware resilience and future-proofing for VoLTE infrastructures.

For further insights listen to the Podcast “Risikozone” from ISMK on SIP Happens: No Contact, No Service (German) with Gabriel Gegenhuber.

Links

Blog entry sipgate
CVE-2025-20647
Chipsets
MediaTek’s monthly security annoucement
MediaTek security acknowledges
Further Risikozone Podcast on Security and Research in Mobile Communications: From IMSI Catchers, MobileAtlas, VoWiFi, and Static Keys (German)

News