An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

Vulnerability Details

Crash happens due to a trap, described below.

The inet_msg_unpack_body function has a vulnerability which makes the SIP parsing susceptible for DoS attacks. The relevant code path can be reached with syntaxically correct SIP messages with multipart content type. (see the PoC section for an actual example)

	curr_inet_mem_pos = inet_mem->pos;
	if (content_length != 0 && (app_type != INET_MSG_APP_SIP || is_raw_data != 0)) {
	  if (inet_mem->end <= curr_inet_mem_pos || inet_mem->end - curr_inet_mem_pos < content_length))
		  goto LAB_exit_with_error_0xc;
	  pos = curr_inet_mem_pos;
	  while (*pos != '-' || pos[1] != '-' || memcmp(pos + 2,boundary_str,boundary_str_len) != 0) {
		pos = pos + 1;
	  }
	  fragment_body_len = (pos - curr_inet_mem_pos) - 2;
	  mem = voip_get_mem(fragment_body_len + 1, "protocol/ims/core/src/sip/inet_msg_unpack.c", 0xc25);

In the fragment_body_len = (pos - curr_inet_mem_pos) - 2; assignment the -2 is accounted for the trailing \r\n character sequence after the body. However when there is no body, the pos - curr_inet_mem_pos would become zero, thus fragment_body_len = -2. This leads to a minus one allocation size in the voip_get_mem(fragment_body_len + 1) function call.

voip_get_mem is a wrapper for __kal_adm_alloc, in which returns a NULL pointer for non-positive allocation sizes. The crash happens because subsequently voip_get_mem checks the returned pointer and traps on NULL values:

voip_get_mem+64:
    90b0c2b2  12 10              break        0x2

Example payload

a
Content-Type: multipart/mixed;boundary="boundary"

--boundary
Content-Type: application/vnd.3gpp.sms
Content-Length: 1

--boundary--

Note that a is the SIP request line.

Affected Devices

Includes most, possibly all, of the following devices:

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

Timeline

2025.06.23. Bug reported to Mediatek PSIRT
2025.07.23. Mediatek confirms vulnerability, does not assign CVE due to low severity
2025.10.01. Advisory release

MSV-4621: Mediatek Baseband Empty Multipart SMS Leading to Denial of Service

Vulnerability Details

Example payload

Affected Devices

Timeline