CVE-2026-20407

In wlan STA driver, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00464377; Issue ID: MSV-4905.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://corp.mediatek.com/product-security-bulletin/February-2026	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:mediatek:nbiot_sdk:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:mediatek:mt7902:-:::::::*
	cpe:2.3:h:mediatek:mt7920:-:::::::*
	cpe:2.3:h:mediatek:mt7921:-:::::::*
	cpe:2.3:h:mediatek:mt7922:-:::::::*
	cpe:2.3:h:mediatek:mt7925:-:::::::*
	cpe:2.3:h:mediatek:mt7927:-:::::::*

History

No history.

Information

Published : 2026-02-02 09:15

Updated : 2026-02-04 13:50

NVD link : CVE-2026-20407

Mitre link : CVE-2026-20407

CVE.ORG link : CVE-2026-20407

JSON object : View

Products Affected

mediatek

mt7925
nbiot_sdk
mt7922
mt7921
mt7920
mt7927
mt7902

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2026-20407", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.5}]}, "published": "2026-02-02T09:15:55.520", "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/February-2026", "tags": ["Vendor Advisory"], "source": "security@mediatek.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@mediatek.com", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In wlan STA driver, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00464377; Issue ID: MSV-4905."}, {"lang": "es", "value": "En el controlador STA de WLAN, existe una posible escalada de privilegios debido a una falta de verificaci\u00f3n de l\u00edmites. Esto podr\u00eda llevar a una escalada de privilegios local con privilegios de ejecuci\u00f3n de usuario necesarios. No se necesita interacci\u00f3n del usuario para la explotaci\u00f3n. ID del parche: WCNCR00464377; ID del problema: MSV-4905."}], "lastModified": "2026-02-04T13:50:50.817", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mediatek:nbiot_sdk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "513F2D0C-0D1C-4C90-AA0F-4F43BF08EB0C", "versionEndIncluding": "3.8"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:mediatek:mt7902:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "91DEA745-47A8-43F1-A1B2-F53F651A99EF"}, {"criteria": "cpe:2.3:h:mediatek:mt7920:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "140DAC08-96E9-47D3-BC2E-65E999DCFD50"}, {"criteria": "cpe:2.3:h:mediatek:mt7921:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "32AFEA0A-FFE2-4EA9-8B51-7E3E75DE65CC"}, {"criteria": "cpe:2.3:h:mediatek:mt7922:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "EA2A6813-7138-441E-A9E4-FF62FCBD797A"}, {"criteria": "cpe:2.3:h:mediatek:mt7925:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "27CFC9DF-2F4C-469A-8A19-A260B1134CFE"}, {"criteria": "cpe:2.3:h:mediatek:mt7927:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "05525018-AFE0-415C-A71C-A77922C7D637"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@mediatek.com"}