An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is stack buffer overflow in the baseband, triggered by malformed SDP data in VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32874. Vulnerability Details When a SIP message contains SDP data, first the cc_call_unpack_sdpmsg routine is invoked to unpack the message bytes into an internal representation (sdp_message_struct). Later the codec information is extracted from this internal representation by calling several codec extracting functions.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is Heap Overflow in the baseband, triggered by malformed multipart SIP messages containing SMS data. The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32886. Vulnerability Details SIP supports the processing of multipart requests (as described in RFC 1341), where a single message can contain multiple body parts, with different content type. In these messages each body fragment is separated by a boundary tag, that is defined in the boundary parameter of the Content-Type MIME header.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is unbounded recursion based stack overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32887. Vulnerability Details When a SIP message is unpacked by sip_msg_unpack, inet_msg_unpack_header is called to parse the various MIME headers. This function inet_msg_mime_skip_comment is reached from inet_msg_mime_skipws (and other inet_msg_skipcfws* functions) and it recursively seeks over the comments from the header in order to remove white-spaces around and comments from the MIME header values.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32888. Vulnerability Details When a SIP message is unpacked by sip_msg_unpack, cc_call_set_peer_addr is responsible for updating the session description object with the peer information. When the SIP message contains the P-Asserted-Identity header, the vulnerable cc_call_replace_double_quote function is called to replace double quotes with the <ascii_34> string.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is intra-structure overflow in the baseband, triggered by malformed SDP data in VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32889. Vulnerability Details When a SIP message contains SDP data, first the cc_call_unpack_sdpmsg routine is invoked to unpack the message bytes into an internal representation (sdp_message_struct). Based on that, later, the session object’s des_audio structure is populated with the AMR/AMR-WB codec info.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is Arbitrary Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725. Vulnerability Details inet_msg_unpack_addr() sVar5 = strspn((char *)pbVar17," \t\r\n"); alloc = NULL; if (pbVar17[sVar5] == '\"') { sVar5 = sVar5 + 1; src = pbVar17 + sVar5; sVar6 = strlen((char *)src); alloc = (byte *)voip_get_mem(sVar6 + 1, "protocol/ims/core/src/sip/inet_msg_unpack.c" ,0xcca); alloc_ = alloc; if (alloc !

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725. Vulnerability Details char * inet_msg_mime_quote(char *str) { char *slash_or_quote_ptr; char *src; char *dst; char curr; char *src_following; slash_or_quote_ptr = strpbrk(str,"\\\""); src_following = str; dst = str; if (slash_or_quote_ptr != NULL) { while (src = src_following, curr = *src, curr != '\0') { src_following = src + 1; if (curr !

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725. Vulnerability Details Crash happens due to a trap, described below. The inet_msg_unpack_body function has a vulnerability which makes the SIP parsing susceptible for DoS attacks. The relevant code path can be reached with syntaxically correct SIP messages with multipart content type. (see the PoC section for an actual example)

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725. Vulnerability Details Crash happens due to a NULL access. int inet_msg_unpack_generic_header (uint param_1,uint param_2,char *param_3) { bVar1 = inet_msg_is_header_val_int(param_1,param_2); if (bVar1 == 0) { iVar3 = 0; if (param_2 < 0x98) { pcVar2 = (code *)inet_msg_header_unpack_fn(param_1,param_2); // [1]: HERE pcVar2 is NULL, thus the following dereference causes a crash!

There is a memory management and a path traversal vulnerability in the vision DSP kernel driver of Exynos S20 devices. These vulnerabilities can be leveraged by a malicious untrusted application to permanently disable the device until it is factory reset. Vulnerability Details The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device. The DSP_IOC_LOAD_GRAPH ioctl handler of the /dev/dsp device receives an array of names of the graph binaries to be loaded. The dsp_kernel_alloc function appends the “.elf” extension to the user-supplied name then uses the kernel’s request firmware API to load it from the file system.