SBA Security Advisory – Null pointer dereference in MediaTek Modem (CVE-2025-20647)
Vulnerability Overview
In the MediaTek modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.
- Type of Vulnerability: Denial of Service
- Fixed with: Patch ID: MOLY00791311 / MOLY01067019; Issue ID: MSV-2721
- CVE ID: CVE-2025-20647
- Severity: Medium
Recommended Countermeasure
If possible patch with Patch ID: MOLY00791311 / MOLY01067019; Issue ID: MSV-2721.
Links
Chipsets
MediaTek Security Bulletin March 2025
MediaTek security acknowledges
Blog entry sipgate
CVE-2025-20647
Credits
Denis Kollar (sipgate)
Hendrik Wedhorn (sipgate)
Jannik Volkland (sipgate)
Viktor Garske (ISMK)
Gabriel Gegenhuber (SBA Research and University of Vienna)
Michael Pucher (University of Vienna)