An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

Vulnerability Details

Crash happens due to a NULL access.

int sdp_msg_unpack_bandwidth(char **param_1,undefined *param_2)
{
  iVar2 = sdp_msg_unpack_string_list.constprop.26(param_1,0x62,-1,(undefined *)&uStack_1c);
  if (iVar2 == 0) {
    puVar7 = &uStack_1c;
    local_20 = (char *)0x0;
    while ((char *)puVar7[1] != (char *)0x0) {
      puVar3 = (uint *)voip_strtok_r((char *)puVar7[1],":",&local_20); // [1]
      *(undefined4 *)(param_2 + 4) = 0;
      bVar1 = sdp_msg_unpack_type(5,5,-0x6e41ac2c,puVar3,(int *)(param_2 + 4),(uint **)0x0);
  ...

At [1], strtok_r might return NULL, if there are no non-matching (not :) characters after b=, while sdp_msg_unpack_type will assume that puVar3 is not NULL. This causes a crash.

Example payload

Change any valid INVITE-flow message SDP contents to the following:

v=0
o=0 0 0 IN IP4 0
s=0
b=

Affected Devices

Includes most, possibly all, of the following devices:

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

Timeline

2025.06.23. Bug reported to Mediatek PSIRT
2025.07.23. Mediatek confirms vulnerability, does not assign CVE due to low severity
2025.10.01. Advisory release

MSV-4627: Mediatek Baseband Null Dereference During Parsing Empty SDP Bandwidth Field

Vulnerability Details

Example payload

Affected Devices

Timeline