{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20409", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "state": "PUBLISHED", "assignerShortName": "MediaTek", "dateReserved": "2025-11-03T01:30:59.008Z", "datePublished": "2026-02-02T08:14:58.556Z", "dateUpdated": "2026-03-30T13:03:00.763Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:03:00.763Z"}, "descriptions": [{"lang": "en", "value": "In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363246; Issue ID: MSV-5779."}], "affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "defaultStatus": "unaffected", "versions": [{"version": "MT6897", "status": "affected"}, {"version": "MT6989", "status": "affected"}]}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T04:55:39.659895Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:39.097Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T04:55:39.659895Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T20:54:12.241Z"}}], "cna": {"affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "versions": [{"status": "affected", "version": "MT6897"}, {"status": "affected", "version": "MT6989"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363246; Issue ID: MSV-5779."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:03:00.763Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20409", "state": "PUBLISHED", "dateUpdated": "2026-03-30T13:03:00.763Z", "dateReserved": "2025-11-03T01:30:59.008Z", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "datePublished": "2026-02-02T08:14:58.556Z", "assignerShortName": "MediaTek"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mediatek:mt6897:-:*:*:*:*:*:*:*", "matchCriteriaId": "2A7D8055-F4B6-41EE-A078-11D56285AB66", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt6989:-:*:*:*:*:*:*:*", "matchCriteriaId": "AD7DE6B2-66D9-4A3E-B15F-D56505559255", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363246; Issue ID: MSV-5779."}, {"lang": "es", "value": "En imgsys, existe una posible escritura fuera de l\u00edmites debido a una comprobaci\u00f3n de l\u00edmites faltante. Esto podr\u00eda llevar a una escalada local de privilegios si un actor malicioso ya ha obtenido el privilegio de Sistema. No se necesita interacci\u00f3n del usuario para la explotaci\u00f3n. ID del parche: ALPS10363246; ID del problema: MSV-5779."}], "id": "CVE-2026-20409", "lastModified": "2026-02-04T13:47:37.867", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-02T09:15:55.790", "references": [{"source": "security@mediatek.com", "tags": ["Vendor Advisory"], "url": "https://corp.mediatek.com/product-security-bulletin/February-2026"}], "sourceIdentifier": "security@mediatek.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security@mediatek.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:10:55.704930+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s fix identified as ALPS10363246 to update the imgsys driver and remove the missing bounds check.", "Ensure the device firmware is updated to the latest MediaTek chipset release that incorporates the patch.", "Verify that no custom or legacy images invoke the imgsys component with elevated privileges, and enforce least\u2011privilege policies to limit System access."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects MediaTek chipset products, specifically MT6897 and MT6989 series. It also impacts devices running Android 15.0 that use these chipsets, as identified in the CPE entries.", "description_and_impact": "A missing bounds check in MediaTek\u2019s imgsys component can cause an out\u2011of\u2011bounds write. The flaw can be exploited by an attacker who already has System privileges, allowing the attacker to write data beyond the intended memory region and thus elevate privileges locally. No user interaction is required for the exploit. The weakness corresponds to CWE\u2011787: Out\u2011of\u2011Bounds Write.", "risk_and_exploitability": "With a CVSS score of 7.8 the vulnerability is of medium\u2011high severity. The EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires local access to a system with System privileges; once that prerequisite is met, the attacker can trigger the out\u2011of\u2011bounds write without further user interaction."}}}}, "created": "2026-02-04T12:44:58.881298+00:00", "title": "Out\u2011of\u2011Bounds Write Vulnerability in MediaTek Imgsys Leading to Local Privilege Escalation", "updated": "2026-04-16T07:15:28.174604+00:00", "vendors": ["mediatek", "mediatek$PRODUCT$mt6897", "mediatk", "mediatk$PRODUCT$mt6989"]}