MediaTek reports multiple vulnerabilities, two classified as critical
Take action: You can't do much about this advisory yourself. It's up to your device vendor to release an update. But keep up with patching and firmware updates. Because hackers will check.
Learn More
MediaTek has released a security bulletin detailing multiple vulnerabilities affecting their wide range of chipsets used in Smartphones, Tablets, AIoT, Smart displays, Smart platforms, OTT, Computer Vision, Audio, and TV devices.
The most significant vulnerabilities include:
- Critical Severity:
- CVE-2024-20154 (CVSS score 8.1, but MediaTek reports as critical): A stack overflow vulnerability in Modem components affecting 51 different chipsets. This flaw allows remote code execution (RCE) if a device connects to a malicious base station. No additional privileges or user interaction is required for exploitation.
- CVE-2024-20148 (CVSS score 9.8): Out-of-bounds write vulnerability in wlan STA FW
- High Severity:
- CVE-2024-20140 (CVSS score 6.7): Out-of-bounds write vulnerability in power components
- CVE-2024-20143 (CVSS score 6.6): Out-of-bounds write vulnerability in DA components
- CVE-2024-20144 (CVSS score 6.6): Out-of-bounds write vulnerability in DA components
- CVE-2024-20145 (CVSS score 6.6): Out-of-bounds write vulnerability in DA components
- CVE-2024-20146 (CVSS score 8.1): Out-of-bounds write vulnerability in wlan STA driver
- CVE-2024-20105 (CVSS score 6.7): Out-of-bounds write vulnerability in m4u components
The affected chipsets span across multiple product lines including MT2735, MT6767, MT6768, MT6769 series, MT6779, MT6781, MT6783, MT6785 series, impacting devices ranging from smartphones and IoT devices to Chromebooks and automotive systems.
MediaTek has notified all device manufacturers about these vulnerabilities and provided security patches at least two months prior to the public disclosure. No public reports of active exploitation have been mentioned in the advisory.
