MediaTek Releases Security Patch to Fix Vulnerabilities in Mobile and IoT Devices

MediaTek, a prominent semiconductor company specializing in mobile, IoT, and multimedia chipsets, has announced the release of critical software patches to address multiple security vulnerabilities uncovered in its products.

These vulnerabilities have the potential to compromise devices running MediaTek-powered chipsets, including smartphones, tablets, AIoT devices, smart displays, OTT platforms, and TVs.

The announcement comes as part of the company’s regular Product Security Bulletin, which details the issues and mitigation strategies provided to device OEMs.

Overview of Security Issues

The vulnerabilities identified in MediaTek chipsets were assessed using the Common Vulnerability Scoring System (CVSS v3.1).

The issues range from critical out-of-bounds write flaws that could enable remote code execution (RCE) to high-severity escalation of privilege (EoP) risks.

MediaTek clarified that OEMs had been notified at least two months prior to the public disclosure, enabling them to apply the security patches.

The vulnerabilities are associated with several MediaTek chipsets and software versions, affecting devices running Android, OpenWrt, Yocto, and RDK-B platforms.

Below is a detailed table summarizing the affected products and corresponding CVEs:

CVE	Title	Severity	Affected Software Versions
CVE-2025-20654	Out-of-bounds write in wlan	Critical	SDK 7.4.0.1 (MT7622, MT7915), SDK 7.6.7.0 (MT7916, MT7981, MT7986), OpenWrt 19.07, 21.02 (MT6890)
CVE-2025-20655	Out-of-bounds read in keymaster	High	Android 12.0, 14.0
CVE-2025-20656	Out-of-bounds write in DA	High	Android 12.0, 13.0, 14.0, 15.0 / OpenWRT 21.02, 23.05 / Yocto 4.0 / RDK-B 24Q1
CVE-2025-20657	Out-of-bounds write in vdec	High	Android 12.0, 15.0
CVE-2025-20658	Out-of-bounds write in DA	High	Android 12.0, 13.0, 14.0, 15.0

Implications of Vulnerabilities

• CVE-2025-20654: This critical vulnerability in the WLAN service allows remote code execution due to improper bounds checking. Exploitation does not require user interaction or additional execution privileges, making it a severe threat.
• CVE-2025-20655: The keymaster vulnerability could lead to local information disclosure if the attacker already has System-level privileges. It affects devices running Android 12 and 14.
• CVE-2025-20656 and CVE-2025-20658: These vulnerabilities in DA compromise device security by enabling local escalation of privilege without additional execution privileges if the attacker gains physical access to the device.
• CVE-2025-20657: The vdec permission bypass flaw creates opportunities for privilege escalation under certain conditions.

Recommendations for Users and OEMs

MediaTek urges affected OEMs to implement the security patches immediately to safeguard their devices and end-users from potential exploitation.

End-users should ensure their devices are running the latest firmware versions and regularly install system updates provided by manufacturers.

For enterprise users relying on IoT devices powered by MediaTek chipsets, it is strongly advised to review software configurations and apply security patches to mitigate the risks of remote code execution and data breaches.

The disclosure underscores the importance of robust security practices in the semiconductor industry.

With the increasing reliance on MediaTek-powered chipsets across mobile and IoT ecosystems, addressing vulnerabilities promptly is crucial to maintaining trust and ensuring user safety.

By releasing these patches and collaborating with OEMs, MediaTek demonstrates its commitment to product security and user protection.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!