An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is stack buffer overflow in the baseband, triggered by malformed SDP data in VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32874.
Vulnerability Details When a SIP message contains SDP data, first the cc_call_unpack_sdpmsg routine is invoked to unpack the message bytes into an internal representation (sdp_message_struct). Later the codec information is extracted from this internal representation by calling several codec extracting functions.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is Heap Overflow in the baseband, triggered by malformed multipart SIP messages containing SMS data.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32886.
Vulnerability Details SIP supports the processing of multipart requests (as described in RFC 1341), where a single message can contain multiple body parts, with different content type. In these messages each body fragment is separated by a boundary tag, that is defined in the boundary parameter of the Content-Type MIME header.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is unbounded recursion based stack overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32887.
Vulnerability Details When a SIP message is unpacked by sip_msg_unpack, inet_msg_unpack_header is called to parse the various MIME headers. This function inet_msg_mime_skip_comment is reached from inet_msg_mime_skipws (and other inet_msg_skipcfws* functions) and it recursively seeks over the comments from the header in order to remove white-spaces around and comments from the MIME header values.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32888.
Vulnerability Details When a SIP message is unpacked by sip_msg_unpack, cc_call_set_peer_addr is responsible for updating the session description object with the peer information. When the SIP message contains the P-Asserted-Identity header, the vulnerable cc_call_replace_double_quote function is called to replace double quotes with the <ascii_34> string.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is intra-structure overflow in the baseband, triggered by malformed SDP data in VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32889.
Vulnerability Details When a SIP message contains SDP data, first the cc_call_unpack_sdpmsg routine is invoked to unpack the message bytes into an internal representation (sdp_message_struct). Based on that, later, the session object’s des_audio structure is populated with the AMR/AMR-WB codec info.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
This report describes an unbounded recursion issue, which leads to stack overflow. (Note: the issue is stack overflow not stack buffer overtflow, i.e. an out-of-bounds write beyond a stack frame’s end).
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details The XML parser code executes unbounded recursions. In addition, it lacks early checking of the validity of the XML against the expected schema, which might otherwise act as an upper bound for recursion for most XML documents.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is Arbitrary Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details inet_msg_unpack_addr() sVar5 = strspn((char *)pbVar17," \t\r\n"); alloc = NULL; if (pbVar17[sVar5] == '\"') { sVar5 = sVar5 + 1; src = pbVar17 + sVar5; sVar6 = strlen((char *)src); alloc = (byte *)voip_get_mem(sVar6 + 1, "protocol/ims/core/src/sip/inet_msg_unpack.c" ,0xcca); alloc_ = alloc; if (alloc !
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details inet_msg_unpack_uri_with_len: ... if (strcasecmp(proto, "http")) ... *pbVar1 = bVar6; proto_len = 6; proto = after_proto + 1; *after_proto = '\0'; after_proto = after_proto + 2; *proto = '\0'; Some bytes are overwritten after the stored scheme, which triggers a heap overflow, if the stored string is too short.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details char * inet_msg_mime_quote(char *str) { char *slash_or_quote_ptr; char *src; char *dst; char curr; char *src_following; slash_or_quote_ptr = strpbrk(str,"\\\""); src_following = str; dst = str; if (slash_or_quote_ptr != NULL) { while (src = src_following, curr = *src, curr != '\0') { src_following = src + 1; if (curr !
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a trap, described below.
The inet_msg_unpack_body function has a vulnerability which makes the SIP parsing susceptible for DoS attacks. The relevant code path can be reached with syntaxically correct SIP messages with multipart content type. (see the PoC section for an actual example)