{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20430", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "state": "PUBLISHED", "assignerShortName": "MediaTek", "dateReserved": "2025-11-03T01:30:59.011Z", "datePublished": "2026-03-02T08:39:08.082Z", "dateUpdated": "2026-03-30T13:05:32.389Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:05:32.389Z"}, "descriptions": [{"lang": "en", "value": "In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151."}], "affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "defaultStatus": "unaffected", "versions": [{"version": "MT6890", "status": "affected"}, {"version": "MT7915", "status": "affected"}, {"version": "MT7916", "status": "affected"}, {"version": "MT7981", "status": "affected"}, {"version": "MT7986", "status": "affected"}]}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/March-2026"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-20430"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T04:55:59.512Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20430", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T13:38:51.165350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T13:38:43.828Z"}}], "cna": {"affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "versions": [{"status": "affected", "version": "MT6890"}, {"status": "affected", "version": "MT7915"}, {"status": "affected", "version": "MT7916"}, {"status": "affected", "version": "MT7981"}, {"status": "affected", "version": "MT7986"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/March-2026"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:05:32.389Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20430", "state": "PUBLISHED", "dateUpdated": "2026-03-30T13:05:32.389Z", "dateReserved": "2025-11-03T01:30:59.011Z", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "datePublished": "2026-03-02T08:39:08.082Z", "assignerShortName": "MediaTek"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mediatek:software_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "70AFB017-99A8-4A7F-AEA5-AF875101DB23", "versionEndIncluding": "7.6.7.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:openwrt:openwrt:19.07.0:-:*:*:*:*:*:*", "matchCriteriaId": "4FA469E2-9E63-4C9A-8EBA-10C8C870063A", "vulnerable": true}, {"criteria": "cpe:2.3:o:openwrt:openwrt:21.02.0:-:*:*:*:*:*:*", "matchCriteriaId": "F0133207-2EED-4625-854F-8DB7770D5BF7", "vulnerable": true}, {"criteria": "cpe:2.3:o:openwrt:openwrt:23.05.0:-:*:*:*:*:*:*", "matchCriteriaId": "00113669-2850-4F0C-913A-92CA5290746E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mediatek:mt6890:-:*:*:*:*:*:*:*", "matchCriteriaId": "171D1C08-F055-44C0-913C-AA2B73AF5B72", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt7915:-:*:*:*:*:*:*:*", "matchCriteriaId": "3AB22996-9C22-4B6C-9E94-E4C055D16335", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt7916:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD5AA441-5381-4179-89EB-1642120F72B4", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt7981:-:*:*:*:*:*:*:*", "matchCriteriaId": "490CD97B-021F-4350-AEE7-A2FA866D5889", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt7986:-:*:*:*:*:*:*:*", "matchCriteriaId": "40A9E917-4B34-403F-B512-09EEBEA46811", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151."}], "id": "CVE-2026-20430", "lastModified": "2026-03-02T22:05:08.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T09:16:16.323", "references": [{"source": "security@mediatek.com", "tags": ["Vendor Advisory"], "url": "https://corp.mediatek.com/product-security-bulletin/March-2026"}], "sourceIdentifier": "security@mediatek.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security@mediatek.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.6.7.3]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT6890, MT7915, MT7916, MT7981, MT7986", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt6890", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.6.7.3]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT6890, MT7915, MT7916, MT7981, MT7986", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt7915", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.6.7.3]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT6890, MT7915, MT7916, MT7981, MT7986", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt7916", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.6.7.3]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT6890, MT7915, MT7916, MT7981, MT7986", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt7981", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.6.7.3]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT6890, MT7915, MT7916, MT7981, MT7986", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt7986", "vendor": "mediatek"}], "analysis": {"en": {"generated_at": "2026-04-16T14:37:48.483020+00:00", "value": {"mitigation_remediation": ["Apply the official firmware update containing Patch ID WCNCR00467553 to all affected MediaTek devices", "Upgrade to the latest available AP firmware version for each specific chipset (MT6890, MT7915, MT7916, MT7981, MT7986)", "If an immediate firmware upgrade cannot be performed, limit wireless traffic or disable the vulnerable interfaces until the patch can be applied"], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects MediaTek chipsets used in wireless access points, including the MT6890, MT7915, MT7916, MT7981, and MT7986 families. Devices running OpenWrt firmware versions 19.07.0, 21.02.0, or 23.05.0 on these chipsets are also impacted. Any network equipment that incorporates these MediaTek chipsets and runs the referenced firmware is vulnerable.", "description_and_impact": "The vulnerability is a CWE\u2011787 out\u2011of\u2011bounds write in the MediaTek WLAN access point firmware caused by an insufficient bounds check. The flaw can be triggered without user interaction, allowing a malicious actor to alter memory structures and elevate privileges within the device. The impact is a local or proximal privilege escalation that grants the attacker higher level access without additional code execution capabilities.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity. The EPSS score of less than 1% suggests a low current exploitation probability, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation does not require user interaction and is likely to occur through crafted wireless traffic source proximity. Attackers could send specially constructed packets to the access point, causing the firmware to perform an out\u2011of\u2011bounds write and gain elevated privileges."}}}}, "created": "2026-03-03T08:45:48.735999+00:00", "title": "Out-of-Bounds Write in MediaTek Wireless Firmware Enables Privilege Escalation", "updated": "2026-04-16T14:45:25.954836+00:00", "vendors": ["mediatek", "mediatek$PRODUCT$mt6890", "mediatek$PRODUCT$mt7915", "mediatek$PRODUCT$mt7916", "mediatek$PRODUCT$mt7981", "mediatek$PRODUCT$mt7986"]}