An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

Vulnerability Details

inet_msg_unpack_uri_with_len:
... if (strcasecmp(proto, "http")) ...
    *pbVar1 = bVar6;
    proto_len = 6;
    proto = after_proto + 1;
    *after_proto = '\0';
    after_proto = after_proto + 2;
    *proto = '\0';

Some bytes are overwritten after the stored scheme, which triggers a heap overflow, if the stored string is too short.

Note that “https” (instead of http) has a very similar, but different code path. Bug is also triggered with “rtsp”.

Example payload

0 http

variants (not all combinations included):

0 https

0 rtsp

0
b:http

0
b:https

Record-Route:<s:0>http:,asfd,asdf,adsf

Note that a and 0 are always the SIP request line (specifically, the SIP method).

Affected Devices

Includes most, possibly all, of the following devices:

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

Timeline

  • 2025.06.23. Bug reported to Mediatek PSIRT
  • 2025.07.23. Mediatek confirms vulnerability
  • 2025.07.23. Mediatek confirms CVE
  • 2025.09.01. TASZK informs Mediatek of advisory disclosure plan
  • 2025.10.01. Advisory release