{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20441", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "state": "PUBLISHED", "assignerShortName": "MediaTek", "dateReserved": "2025-11-03T01:30:59.012Z", "datePublished": "2026-03-02T08:39:23.774Z", "dateUpdated": "2026-03-30T13:05:55.532Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:05:55.532Z"}, "descriptions": [{"lang": "en", "value": "In MAE, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10432500; Issue ID: MSV-5803."}], "affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "defaultStatus": "unaffected", "versions": [{"version": "MT2718", "status": "affected"}, {"version": "MT6899", "status": "affected"}, {"version": "MT6991", "status": "affected"}, {"version": "MT8678", "status": "affected"}, {"version": "MT8793", "status": "affected"}]}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/March-2026"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-20441"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T04:55:53.784Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20441", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T13:26:55.940104Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T13:27:10.821Z"}}], "cna": {"affected": [{"vendor": "MediaTek, Inc.", "product": "MediaTek chipset", "versions": [{"status": "affected", "version": "MT2718"}, {"status": "affected", "version": "MT6899"}, {"status": "affected", "version": "MT6991"}, {"status": "affected", "version": "MT8678"}, {"status": "affected", "version": "MT8793"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/March-2026"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "In MAE, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10432500; Issue ID: MSV-5803."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "shortName": "MediaTek", "dateUpdated": "2026-03-30T13:05:55.532Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20441", "state": "PUBLISHED", "dateUpdated": "2026-03-30T13:05:55.532Z", "dateReserved": "2025-11-03T01:30:59.012Z", "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374", "datePublished": "2026-03-02T08:39:23.774Z", "assignerShortName": "MediaTek"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mediatek:mt2718:-:*:*:*:*:*:*:*", "matchCriteriaId": "F5506327-7DDF-4E88-9EA8-10B8E32F848B", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt6899:-:*:*:*:*:*:*:*", "matchCriteriaId": "C6E9F80F-9AC9-41E0-BB14-9DB6F14B62CD", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt6991:-:*:*:*:*:*:*:*", "matchCriteriaId": "CBBB30DF-E963-4940-B742-F6801F68C3FC", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt8678:-:*:*:*:*:*:*:*", "matchCriteriaId": "152A5F3D-8004-4649-BDB1-E6F0798AF1CB", "vulnerable": false}, {"criteria": "cpe:2.3:h:mediatek:mt8793:-:*:*:*:*:*:*:*", "matchCriteriaId": "2FBD3487-F8CE-406C-8BD7-DD57FF8CD60B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In MAE, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10432500; Issue ID: MSV-5803."}], "id": "CVE-2026-20441", "lastModified": "2026-03-03T13:02:46.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T09:16:17.447", "references": [{"source": "security@mediatek.com", "tags": ["Vendor Advisory"], "url": "https://corp.mediatek.com/product-security-bulletin/March-2026"}], "sourceIdentifier": "security@mediatek.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security@mediatek.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Android 15.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT2718, MT6899, MT6991, MT8678, MT8793", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt2718", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Android 15.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT2718, MT6899, MT6991, MT8678, MT8793", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt6899", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Android 15.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT2718, MT6899, MT6991, MT8678, MT8793", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt6991", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Android 15.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT2718, MT6899, MT6991, MT8678, MT8793", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt8678", "vendor": "mediatek"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Android 15.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MT2718, MT6899, MT6991, MT8678, MT8793", "source": "cna", "vendor": "MediaTek, Inc."}, "product": "mt8793", "vendor": "mediatek"}], "analysis": {"en": {"generated_at": "2026-04-16T05:52:39.153105+00:00", "value": {"mitigation_remediation": ["Apply the MediaTek MAE vulnerability patch ALPS10432500 to all affected chipsets", "If patch cannot be applied immediately, limit the use of services that generate MAE tasks and enforce least privilege on processes that can reach the System privilege", "Continuously monitor for suspicious activities that could indicate exploitation attempts of the out\u2011of\u2011bounds write"], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "This issue affects several MediaTek chipsets, including the MT2718, MT6899, MT6991, MT8678, and MT8793 series. The problem also applies to devices running Android 15 where the MAE component is present. No specific firmware or operating system versions are listed, so all current releases of these chipsets should be presumed vulnerable until patched.", "description_and_impact": "The vulnerability in MediaTek's MAE component involves a missing bounds check that allows an out\u2011of\u2011bounds write. Because the write can occur to arbitrary memory locations, a local attacker who already holds System privilege can alter critical data and thereby elevate privileges further. This flaw does not require user interaction to be triggered, making it a straightforward local privilege escalation path.", "risk_and_exploitability": "The CVSS score of 6.7 indicates a moderate severity. The EPSS score is below 1%, suggesting that, at present, exploit activity is unlikely. The flaw is not included in the CISA KEV catalog, further indicating no widespread exploitation. Because the attacker needs to have already obtained System privilege, the direct attack vector is local and may involve escalation from an existing high\u2011privilege account. An attacker can take advantage of the memory overwrite to modify critical kernel structures or files, compromising device integrity."}}}}, "created": "2026-03-03T08:45:40.042201+00:00", "title": "Out-of-Bounds Write in MediaTek MAE Allows Local Privilege Escalation", "updated": "2026-04-16T06:00:10.143830+00:00", "vendors": ["mediatek", "mediatek$PRODUCT$mt2718", "mediatek$PRODUCT$mt6899", "mediatek$PRODUCT$mt6991", "mediatek$PRODUCT$mt8678", "mediatek$PRODUCT$mt8793"]}