We have identified a new vulnerability in Huawei’s Hypervisor implementation. The vulnerability can be exploited to bypass Huawei’s HKIP (Kernel Integrity Protection) exploit mitigations.
The vulnerability we are disclosing in this advisory affected a wide range of Huawei devices, including phones on the newest chipsets. The vendor did not produce a fix/CVE for the reported vulnerability.
Vulnerability Details Thew Huawei Hypervisor Execution Environment (HEE) implements additional memory address protection of the Linux Kernel by restricting certain memory accesses using 2nd stage translation.
However, the HEE also exposes an api to the Linux Kernel via Hypervisor Calls (HVC) that can be directly used to modify the stage 2 translation tables and therefore remove the protections, bypassing the intented exploit mitigation entirely.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a trap, described below.
The inet_msg_unpack_body function has a vulnerability which makes the SIP parsing susceptible for DoS attacks. The relevant code path can be reached with syntaxically correct SIP messages with multipart content type. (see the PoC section for an actual example)
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details A large number of memory allocations can be triggered via malformed SDP contents unknown by Mediatek’s baseband implementation (e.g. with a key of two octet). During failure, some special cases bail out without first freeing the earlier allocations, and losing the single pointer to the area.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
sip_msg_content_type_compatible assumes a content type with a subcontenttype (e.g. text/plain), but inet_msg_unpack_content_type accepts a content type without a subcontenttype (e.g. text).
bool sip_msg_content_type_compatible(char **accept,char **contentType) { int iVar1; char *pcVar2; char *pcVar3; iVar1 = voip_strcasecmp(accept[0],"*"); pcVar3 = "*"; // If the Accept is in format */something, accept anything, if the Accept is exactly */* if (iVar1 !
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
int inet_msg_unpack_generic_header (uint param_1,uint param_2,char *param_3) { bVar1 = inet_msg_is_header_val_int(param_1,param_2); if (bVar1 == 0) { iVar3 = 0; if (param_2 < 0x98) { pcVar2 = (code *)inet_msg_header_unpack_fn(param_1,param_2); // [1]: HERE pcVar2 is NULL, thus the following dereference causes a crash!
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
int sdp_msg_unpack_bandwidth(char **param_1,undefined *param_2) { iVar2 = sdp_msg_unpack_string_list.constprop.26(param_1,0x62,-1,(undefined *)&uStack_1c); if (iVar2 == 0) { puVar7 = &uStack_1c; local_20 = (char *)0x0; while ((char *)puVar7[1] != (char *)0x0) { puVar3 = (uint *)voip_strtok_r((char *)puVar7[1],":",&local_20); // [1] *(undefined4 *)(param_2 + 4) = 0; bVar1 = sdp_msg_unpack_type(5,5,-0x6e41ac2c,puVar3,(int *)(param_2 + 4),(uint **)0x0); .
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
void sdp_msg_create_negotiation_sdp(...) { sdp_cpy = sdp_msg_struct_copy(sdp_msg); // [1] if (sdp_cpy == (sdp_message_struct *)0x0) { ... return; } media = sdp_cpy->m; if (media != (sdp_media_struct *)0x0) { media_orig_p = sdp_msg->m; // original media while (media_orig_p !
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
The crash happens in sdp_msg_create_negotiation_sdp.
It is caused by a malformed audio attribute for RTP/AVP resulting in a NULL pointer access, which crashes the modem.
Example payload The following SIP messages were tested:
We have identified a new buffer overflow vulnerability in Samsung’s baseband implementation (mainly used in Exynos chipsets). The vulnerability can be exploited to achieve arbitrary code execution in the baseband runtime.
The vulnerability we are disclosing in this advisory affected a wide range of Samsung devices, including phones on the newest Exynos chipsets. The November 2023 issue of the Samsung Semiconductor Security Bulletin contains this vulnerability as CVE-2023-41111.
Vulnerability Details Background: Data Block Format and Re-assembly in RLC In GPRS, an LLC layer PDU can be up to 1560 bytes long, but the maximum size for an RLC data block is 22/32/38/52 for the GPRS coding schemes CS-1/2/3/4, respectively.
We have identified several new heap buffer overflow vulnerabilities in Samsung’s baseband implementation (mainly used in Exynos chipsets): three different heap buffer overflows in the same function, to be precise.
The most critical of these vulnerabilities can be exploited to achieve arbitrary code execution in the baseband runtime.
The vulnerabilities we are disclosing in this advisory affected a wide range of Samsung devices, including phones on the newest Exynos chipsets. The vulnerability report covering all three that we reported together was assigned CVE-2023-41112, which was published in the 2023 November issue of Samsung Semiconductor Security Bulletin.
Vulnerability Details Background: RLC Data Block Formats in GPRS vs E-GPRS In GPRS, an LLC layer PDU can be up to 1560 bytes long, but the maximum size for an RLC data block is between 22 and 52 bytes for GPRS, depending on the Coding Scheme used (22/32/38/52 for the GPRS coding schemes CS-1/2/3/4, respectively).