{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20418", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "state": "PUBLISHED", "assignerShortName": "MediaTek", "dateReserved": "2025-11-03T01:30:59.009Z", "datePublished": "2026-02-02T08:15:15.670Z", "dateUpdated": "2026-03-30T13:03:22.186Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:03:22.186Z"}, "descriptions": [{"lang": "en", "value": "In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153; Issue ID: MSV-4927."}], "affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "defaultStatus": "unaffected", "versions": [{"version": "MT7931", "status": "affected"}, {"version": "MT7933", "status": "affected"}]}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20418", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T04:55:34.503311Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:37.084Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20418", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T04:55:34.503311Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T13:47:18.296Z"}}], "cna": {"affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "versions": [{"status": "affected", "version": "MT7931"}, {"status": "affected", "version": "MT7933"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153; Issue ID: MSV-4927."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:03:22.186Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20418", "state": "PUBLISHED", "dateUpdated": "2026-03-30T13:03:22.186Z", "dateReserved": "2025-11-03T01:30:59.009Z", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "datePublished": "2026-02-02T08:15:15.670Z", "assignerShortName": "MediaTek"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:matter:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F9A93E8-E013-4822-A6FC-A116C1DD8161", "versionEndIncluding": "1.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mediatek:mt7931:-:*:*:*:*:*:*:*", "matchCriteriaId": "9DDCA338-7A89-49FA-9F78-5FA6D69D1FC9", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt7933:-:*:*:*:*:*:*:*", "matchCriteriaId": "727F29FD-E8DA-46F1-9C98-9D194E981E38", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153; Issue ID: MSV-4927."}], "id": "CVE-2026-20418", "lastModified": "2026-02-03T21:51:35.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-02T09:15:56.853", "references": [{"source": "security@mediatek.com", "tags": ["Vendor Advisory"], "url": "https://corp.mediatek.com/product-security-bulletin/February-2026"}], "sourceIdentifier": "security@mediatek.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security@mediatek.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T17:32:10.782930+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied firmware patch identified by WCNCR00465153", "Until the patch is available, limit or block Thread/Matter traffic to the device from external networks that are not trusted", "Isolate the affected device within a dedicated, trusted network segment and restrict lateral movement by enforcing strict network access controls"], "summary": {"action": "Immediate Patch", "impact": "Remote Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects MediaTek devices that incorporate the MT7931 or MT7933 chipsets, components commonly used in Internet of Things appliances. It may also impact systems that rely on these chipsets for Matter\u2011based connectivity. Only the specified hardware revisions are known to be susceptible.", "description_and_impact": "A missing bounds check in the Thread implementation of MediaTek chipsets allows an adversary to perform an out\u2011of\u2011bounds write. This flaw can be triggered remotely and leads to escalation of privileges without the need for additional execution rights. The weakness is identified as a buffer overrun (CWE\u2011787).", "risk_and_exploitability": "The CVSS base score is 9.8, indicating critical severity. The EPSS score is less than 1\u202f%, suggesting a low likelihood of exploitation at the current time. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, as no user interaction is required for exploitation, and the flaw permits privilege escalation immediately upon a successful out\u2011of\u2011bounds write."}}}}, "created": "2026-02-04T12:44:53.302959+00:00", "title": "Out\u2011of\u2011Bounds Write in MediaTek Thread Leading to Remote Privilege Escalation", "updated": "2026-04-16T17:45:27.366937+00:00", "vendors": ["mediatek", "mediatek$PRODUCT$mt7931", "mediatek$PRODUCT$mt7933"]}