An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is Arbitrary Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

Vulnerability Details

inet_msg_unpack_addr()
    sVar5 = strspn((char *)pbVar17," \t\r\n");
    alloc = NULL;
    if (pbVar17[sVar5] == '\"') {
      sVar5 = sVar5 + 1;
      src = pbVar17 + sVar5;
      sVar6 = strlen((char *)src);
      alloc = (byte *)voip_get_mem(sVar6 + 1,
                                   "protocol/ims/core/src/sip/inet_msg_unpack.c"
                                   ,0xcca);
      alloc_ = alloc;
      if (alloc != NULL) {
        while (bVar1 = *src, bVar1 != '\"') {
          if (bVar1 == 0) {
            voip_free_mem(alloc);
            goto _done;
          }
          if (bVar1 == '\\') {
            src_next = src + 1;
            sVar5 = sVar5 + 2;
            src = src + 2;
            *alloc_ = *src_next;
          }
          else {
            sVar5 = sVar5 + 1;
            src = src + 1;
            *alloc_ = bVar1;
          }
          alloc_ = alloc_ + 1;
        }
        sVar5 = sVar5 + 1;
      }
    }

During the line segmentation process \d gets replaced with \0, thus an overflow happens by bypassing the if (*src == 0) end-condition with an “escaped null character” ("\\\0").

Also the lifetime can be controlled: if there is a " character, the pointer to the assembled string on the heap gets saved and only freed when the inet structure is destroyed; else it is freed immediately.

Example payload

a
To: "This adjust the allocation size\
1234567890 This will be the overflow content

Note that a is the SIP request line.

Affected Devices

Includes most, possibly all, of the following devices:

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

Timeline

2025.06.23. Bug reported to Mediatek PSIRT
2025.07.23. Mediatek confirms vulnerability
2025.07.23. Mediatek confirms CVE
2025.09.01. TASZK informs Mediatek of advisory disclosure plan
2025.10.01. Advisory release

CVE-2025-20725: Mediatek Baseband Heap Overflow in inet_msg_unpack_addr

Vulnerability Details

Example payload

Affected Devices

Timeline