An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details A large number of memory allocations can be triggered via malformed SDP contents unknown by Mediatek’s baseband implementation (e.g. with a key of two octet). During failure, some special cases bail out without first freeing the earlier allocations, and losing the single pointer to the area.
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
sip_msg_content_type_compatible assumes a content type with a subcontenttype (e.g. text/plain), but inet_msg_unpack_content_type accepts a content type without a subcontenttype (e.g. text).
bool sip_msg_content_type_compatible(char **accept,char **contentType) { int iVar1; char *pcVar2; char *pcVar3; iVar1 = voip_strcasecmp(accept[0],"*"); pcVar3 = "*"; // If the Accept is in format */something, accept anything, if the Accept is exactly */* if (iVar1 !
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
int inet_msg_unpack_generic_header (uint param_1,uint param_2,char *param_3) { bVar1 = inet_msg_is_header_val_int(param_1,param_2); if (bVar1 == 0) { iVar3 = 0; if (param_2 < 0x98) { pcVar2 = (code *)inet_msg_header_unpack_fn(param_1,param_2); // [1]: HERE pcVar2 is NULL, thus the following dereference causes a crash!
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
int sdp_msg_unpack_bandwidth(char **param_1,undefined *param_2) { iVar2 = sdp_msg_unpack_string_list.constprop.26(param_1,0x62,-1,(undefined *)&uStack_1c); if (iVar2 == 0) { puVar7 = &uStack_1c; local_20 = (char *)0x0; while ((char *)puVar7[1] != (char *)0x0) { puVar3 = (uint *)voip_strtok_r((char *)puVar7[1],":",&local_20); // [1] *(undefined4 *)(param_2 + 4) = 0; bVar1 = sdp_msg_unpack_type(5,5,-0x6e41ac2c,puVar3,(int *)(param_2 + 4),(uint **)0x0); .
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
void sdp_msg_create_negotiation_sdp(...) { sdp_cpy = sdp_msg_struct_copy(sdp_msg); // [1] if (sdp_cpy == (sdp_message_struct *)0x0) { ... return; } media = sdp_cpy->m; if (media != (sdp_media_struct *)0x0) { media_orig_p = sdp_msg->m; // original media while (media_orig_p !
An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.
Vulnerability Details Crash happens due to a NULL access.
The crash happens in sdp_msg_create_negotiation_sdp.
It is caused by a malformed audio attribute for RTP/AVP resulting in a NULL pointer access, which crashes the modem.
Example payload The following SIP messages were tested:
We have identified a new stack buffer overflow vulnerability in Mediatek’s Linux Kernel driver implementation of cellular-to-application processor communication interface (CCCI). The vulnerability can be exploited by a malicious (compromised) baseband runtime to achieve arbitrary code execution in the Linux Kernel.
The vulnerability we are disclosing in this advisory affected a wide range of Mediatek devices, including phones on the newest chipsets (Dimensity 700, 1000, etc). The July 2022 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2022-21766.
Vulnerability Details There is a kernel stack buffer overflow vulnerability in the implementation of the modem-kernel communication interface. The stack overflow can be used to overwrite the return address of a kernel function, with attacker controlled data.
We have identified a new heap buffer overflow vulnerability in Mediatek’s baseband implementation. The vulnerability can be exploited to achieve arbitrary code execution in the baseband runtime.
The vulnerability we are disclosing in this advisory affected a wide range of Mediatek devices, including phones on the newest chipsets (Dimensity 700, 1000, etc). The July 2022 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2022-21744.
Vulnerability Details The GPRS Packet Neighbour Cell Data (PNCD) message is an optional message sent by the network on the PACCH to provide system information required for initial access in a neighbouring cell. In the case of the MediaTek baseband firmware, this message is processed in the FDD_rmpc_mac_rmpc_pncd_ind_hdlr function.
We have identified a new out-of-bound write vulnerability in Mediatek’s Linux Kernel driver implementation of cellular-to-application processor communication interface (CCCI). The vulnerability can be exploited by a malicious (compromised) baseband runtime to achieve arbitrary code execution in the Linux Kernel.
The vulnerability we are disclosing in this advisory affected a wide range of Mediatek devices, including phones on the newest chipsets (Dimensity 700, 1000, etc). The July 2022 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2022-21765.
Vulnerability Details There is a vmalloc out-of-bound write vulnerability in the kernel implementation of the modem-kernel communication interface. The out-of-bound write can be used to write controlled data, with controlled size, at a controlled location within the kernel’s vmalloc memory region.
We have identified a new out-of-bound read vulnerability in Mediatek’s Linux Kernel driver implementation of cellular-to-application processor communication interface (CCCI). The vulnerability can be exploited by a malicious (compromised) baseband runtime to leak information from the kernel runtime and break the kernel’s entropy-based mitigations such as KASLR and stack smashing protection.
The vulnerability we are disclosing in this advisory affected a wide range of Mediatek devices, including phones on the newest chipsets (Dimensity 700, 1000, etc). The July 2022 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2022-21769.
Vulnerability Details There is a vmalloc out-of-bound read vulnerability in the kernel implementation of the modem-kernel communication interface.