{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20423", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "state": "PUBLISHED", "assignerShortName": "MediaTek", "dateReserved": "2025-11-03T01:30:59.010Z", "datePublished": "2026-03-02T08:37:41.026Z", "dateUpdated": "2026-03-30T13:05:18.799Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:05:18.799Z"}, "descriptions": [{"lang": "en", "value": "In wlan STA driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465314; Issue ID: MSV-4956."}], "affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "defaultStatus": "unaffected", "versions": [{"version": "MT7902", "status": "affected"}, {"version": "MT7920", "status": "affected"}, {"version": "MT7921", "status": "affected"}, {"version": "MT7922", "status": "affected"}, {"version": "MT7925", "status": "affected"}, {"version": "MT7927", "status": "affected"}]}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/March-2026"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-749", "description": "CWE-749 Exposed Dangerous Method or Function"}]}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T04:56:07.773095Z", "id": "CVE-2026-20423", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T16:15:45.688Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20423", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T04:56:07.773095Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T18:47:45.450Z"}}], "cna": {"affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "versions": [{"status": "affected", "version": "MT7902"}, {"status": "affected", "version": "MT7920"}, {"status": "affected", "version": "MT7921"}, {"status": "affected", "version": "MT7922"}, {"status": "affected", "version": "MT7925"}, {"status": "affected", "version": "MT7927"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/March-2026"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "In wlan STA driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465314; Issue ID: MSV-4956."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-749", "description": "CWE-749 Exposed Dangerous Method or Function"}]}], "providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:05:18.799Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20423", "state": "PUBLISHED", "dateUpdated": "2026-03-30T13:05:18.799Z", "dateReserved": "2025-11-03T01:30:59.010Z", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "datePublished": "2026-03-02T08:37:41.026Z", "assignerShortName": "MediaTek"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mediatek:nbiot_sdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "513F2D0C-0D1C-4C90-AA0F-4F43BF08EB0C", "versionEndIncluding": "3.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mediatek:mt7902:-:*:*:*:*:*:*:*", "matchCriteriaId": "91DEA745-47A8-43F1-A1B2-F53F651A99EF", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt7920:-:*:*:*:*:*:*:*", "matchCriteriaId": "140DAC08-96E9-47D3-BC2E-65E999DCFD50", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt7921:-:*:*:*:*:*:*:*", "matchCriteriaId": "32AFEA0A-FFE2-4EA9-8B51-7E3E75DE65CC", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt7922:-:*:*:*:*:*:*:*", "matchCriteriaId": "EA2A6813-7138-441E-A9E4-FF62FCBD797A", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt7925:-:*:*:*:*:*:*:*", "matchCriteriaId": "27CFC9DF-2F4C-469A-8A19-A260B1134CFE", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt7927:-:*:*:*:*:*:*:*", "matchCriteriaId": "05525018-AFE0-415C-A71C-A77922C7D637", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In wlan STA driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465314; Issue ID: MSV-4956."}], "id": "CVE-2026-20423", "lastModified": "2026-03-03T17:16:18.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T09:16:15.340", "references": [{"source": "security@mediatek.com", "tags": ["Vendor Advisory"], "url": "https://corp.mediatek.com/product-security-bulletin/March-2026"}], "sourceIdentifier": "security@mediatek.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-749"}], "source": "security@mediatek.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.8)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT7902, MT7920, MT7921, MT7922, MT7925, MT7927", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt7902", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.8)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT7902, MT7920, MT7921, MT7922, MT7925, MT7927", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt7920", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.8)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT7902, MT7920, MT7921, MT7922, MT7925, MT7927", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt7921", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.8)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT7902, MT7920, MT7921, MT7922, MT7925, MT7927", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt7922", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.8)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT7902, MT7920, MT7921, MT7922, MT7925, MT7927", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt7925", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.8)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT7902, MT7920, MT7921, MT7922, MT7925, MT7927", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt7927", "vendor": "mediatek"}], "analysis": {"en": {"generated_at": "2026-04-16T14:39:37.990158+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch identified by patch ID WCNCR00465314 (Issue ID MSV-4956) to the affected WLAN STA driver.", "Reboot the device after patch application to ensure the changes take effect.", "If a patch is not immediately available, restrict local user rights and disable the WLAN interface through system configuration to mitigate the risk."], "summary": {"action": "Patch Now", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Devices with Mediatek chipsets\u2014including the MT7902, MT7920, MT7921, MT7922, MT7925, and MT7927\u2014are impacted, as are systems utilizing the Mediatek nbiot_sdk. The vulnerability is specific to the WLAN STA driver within these components.", "description_and_impact": "The vulnerability in Mediatek\u2019s WLAN Station driver arises from a missing bounds check, allowing an attacker to perform an out\u2011of\u2011bounds write. This defect can be exploited to gain higher privileges on the device, provided the attacker already holds standard user execution rights on the system. No additional user interaction is required, meaning the flaw can be leveraged purely locally.", "risk_and_exploitability": "With a CVSS score of 7.8 the flaw is considered high severity, yet the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not present in CISA\u2019s KEV catalog, but the combination of local escalation and the lack of user interaction makes it a serious risk for any system with an exposed Mediatek WLAN STA driver. An attacker would need user execution privileges on the device and would then trigger the out\u2011of\u2011bounds write to elevate those privileges without further input."}}}}, "created": "2026-03-03T08:45:55.790794+00:00", "title": "Out-of-Bounds Write in Mediatek WLAN STA Driver Leads to Local Privilege Escalation", "updated": "2026-04-16T14:45:25.973631+00:00", "vendors": ["mediatek", "mediatek$PRODUCT$mt7902", "mediatek$PRODUCT$mt7920", "mediatek$PRODUCT$mt7921", "mediatek$PRODUCT$mt7922", "mediatek$PRODUCT$mt7925", "mediatek$PRODUCT$mt7927"]}