{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20413", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "state": "PUBLISHED", "assignerShortName": "MediaTek", "dateReserved": "2025-11-03T01:30:59.009Z", "datePublished": "2026-02-02T08:15:07.775Z", "dateUpdated": "2026-03-30T13:03:11.668Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:03:11.668Z"}, "descriptions": [{"lang": "en", "value": "In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362725; Issue ID: MSV-5694."}], "affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "defaultStatus": "unaffected", "versions": [{"version": "MT6899", "status": "affected"}, {"version": "MT6991", "status": "affected"}, {"version": "MT8678", "status": "affected"}, {"version": "MT8793", "status": "affected"}]}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-1285", "description": "CWE-1285 Specified Index, Position, or Offset"}]}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20413", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T04:55:37.033281Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:37.983Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20413", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T04:55:37.033281Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T13:52:32.210Z"}}], "cna": {"affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "versions": [{"status": "affected", "version": "MT6899"}, {"status": "affected", "version": "MT6991"}, {"status": "affected", "version": "MT8678"}, {"status": "affected", "version": "MT8793"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362725; Issue ID: MSV-5694."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1285", "description": "CWE-1285 Specified Index, Position, or Offset"}]}], "providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:03:11.668Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20413", "state": "PUBLISHED", "dateUpdated": "2026-03-30T13:03:11.668Z", "dateReserved": "2025-11-03T01:30:59.009Z", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "datePublished": "2026-02-02T08:15:07.775Z", "assignerShortName": "MediaTek"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mediatek:mt6899:-:*:*:*:*:*:*:*", "matchCriteriaId": "C6E9F80F-9AC9-41E0-BB14-9DB6F14B62CD", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt6991:-:*:*:*:*:*:*:*", "matchCriteriaId": "CBBB30DF-E963-4940-B742-F6801F68C3FC", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt8678:-:*:*:*:*:*:*:*", "matchCriteriaId": "152A5F3D-8004-4649-BDB1-E6F0798AF1CB", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt8793:-:*:*:*:*:*:*:*", "matchCriteriaId": "2FBD3487-F8CE-406C-8BD7-DD57FF8CD60B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362725; Issue ID: MSV-5694."}], "id": "CVE-2026-20413", "lastModified": "2026-02-03T21:55:23.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-02T09:15:56.317", "references": [{"source": "security@mediatek.com", "tags": ["Vendor Advisory"], "url": "https://corp.mediatek.com/product-security-bulletin/February-2026"}], "sourceIdentifier": "security@mediatek.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1285"}], "source": "security@mediatek.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T17:33:17.362937+00:00", "value": {"mitigation_remediation": ["Apply the MediaTek update ALPS10362725 or the corresponding Android\u202f15.0 firmware update that incorporates the fix", "Ensure that the imgsys component is not exposed to untrusted code paths", "Monitor device logs for anomalous memory or driver activity that could indicate an attempted out\u2011of\u2011bounds write", "If a patch is not yet available, temporarily restrict access to the imgsys component and disable any features that allow local code execution"], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected are MediaTek chipsets MT6899, MT6991, MT8678, and MT8793, as well as devices running Android\u202f15.0 that incorporate these chips. The patch identifier ALPS10362725 (Issue ID\u202fMSV\u20115694) addresses the issue.", "description_and_impact": "The vulnerability arises from a missing bounds check in the imgsys component of MediaTek chipsets. This allows an out\u2011of\u2011bounds write that can be exploited by an attacker who already has System privileges. The flaw does not require user interaction, and its exploitation could elevate local privileges further or allow a malicious actor to gain additional control over the device. The weakness is classified as both a missing bounds check (CWE\u20111285) and an out\u2011of\u2011bounds write (CWE\u2011787).", "risk_and_exploitability": "The CVSS base score is 6.7, indicating a moderate severity, while the EPSS score is below 1%, suggesting that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog, further lowering the perceived risk from an external exploitation perspective. The likely attack vector is local; an attacker would need access to a system with System privileges and knowledge of the imgsys component to perform an out\u2011of\u2011bounds write. Although the exposure is limited to devices with the affected MediaTek chips, any compromise could lead to further lateral movement or persistence on the host."}}}}, "created": "2026-02-04T12:45:02.623031+00:00", "title": "Local Privilege Escalation via Out\u2011Of\u2011Bounds Write in MediaTek imgsys Component", "updated": "2026-04-16T17:45:27.367576+00:00", "vendors": ["mediatek", "mediatek$PRODUCT$mt6899", "mediatek$PRODUCT$mt6991", "mediatek$PRODUCT$mt8678", "mediatek$PRODUCT$mt8793"]}