An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

Vulnerability Details

Crash happens due to a NULL access.

int inet_msg_unpack_generic_header
              (uint param_1,uint param_2,char *param_3)

{
  bVar1 = inet_msg_is_header_val_int(param_1,param_2);
  if (bVar1 == 0) {
    iVar3 = 0;
    if (param_2 < 0x98) {
      pcVar2 = (code *)inet_msg_header_unpack_fn(param_1,param_2);
      // [1]: HERE pcVar2 is NULL, thus the following dereference causes a crash!
      iVar3 = (*pcVar2)(param_1,param_3);
    }
  }
  else { ... }
  return iVar3;
}

Example payload

a
transport:0

Variants:

a
none:2

Note that a is the SIP request line.

Affected Devices

Includes most, possibly all, of the following devices:

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

Timeline

• 2025.06.23. Bug reported to Mediatek PSIRT
• 2025.07.23. Mediatek confirms vulnerability, does not assign CVE due to low severity
• 2025.10.01. Advisory release