An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

This report describes an unbounded recursion issue, which leads to stack overflow. (Note: the issue is stack overflow not stack buffer overtflow, i.e. an out-of-bounds write beyond a stack frame’s end).

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

Vulnerability Details

The XML parser code executes unbounded recursions. In addition, it lacks early checking of the validity of the XML against the expected schema, which might otherwise act as an upper bound for recursion for most XML documents.

There is not one single vulnerable code path, even during XML parsing cleanup, the baseband executes an unbounded recursive free, which can also crash the modem, so this vulnerable code pattern replicates tthroughout the XML parser code.

Example payload

Overwrite any packet with the following content type: Content-Type: application/reginfo+xml, and the following payload (i.e. <a> repeated 601 times):

python -c 'print(601*"<a>")'

Affected Devices

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

Timeline

  • 2025.06.23. Bug reported to Mediatek PSIRT
  • 2025.07.23. Mediatek communicates that the bug matches CVE-2025-20678 that was released in the June 2025 security bulletin security bulletin
  • 2025.10.01. Advisory release