Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021. Vulnerability Details When processing the GSM Radio Resource Management Channel Release message, the CSN.1 decoding of the “Cell selection indicator after release of all TCH and SDCCH” information element contains a heap buffer overflow in the function FDD_csrr_decode_redirection_ie. The “Cell selection indicator after release of all TCH and SDCCH” is a type 4 information element with a minimum length of 4 octets.