In Bluetooth driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418044; Issue ID: MSV-3482.
The flaw consists of improper boundary verification in the Bluetooth driver code, allowing data to be written outside the designated heap buffer. An attacker with regular user-level privileges (User execution privileges) can trigger this flaw without requiring any interaction from the victim. Successful exploitation of the vulnerability can lead to gaining control over privileged system resources.
An attacker can achieve local privilege escalation, potentially gaining control over the device's operating system. The confidentiality, integrity, and availability of device data and resources are at risk.
Apply the patch identified as WCNCR00418044 (Issue ID: MSV-3482) in accordance with the MediaTek security bulletin from July 2025 available at https://corp.mediatek.com/product-security-bulletin/July-2025. OEM device manufacturers should promptly implement the provided fixes in firmware updates for their products.
MediaTek chipsets: MT7902, MT7920, MT7925, MT7921, and MediaTek NB-IoT SDK. Detailed information about affected software versions can be found in manufacturer references.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMediatek Mt7902
HWMediatekwszystkie wersjeMediatek Mt7920
HWMediatekwszystkie wersjeMediatek Mt7921
HWMediatekwszystkie wersjeMediatek Mt7922
HWMediatekwszystkie wersjeMediatek Mt7925
HWMediatekwszystkie wersjeMediatek Mt7927
HWMediatekwszystkie wersjeMediatek Nbiot Sdk
APPMediatek≤ 3.6
Related vulnerabilities
Privilege escalation w sterowniku WLAN STA MediaTek — brak bounds check
Przepełnienie bufora sterty w sterowniku Bluetooth — MediaTek MT79xx
Out-of-bounds write w WLAN STA FW MediaTek — zdalne RCE
MediaTek WLAN Driver — błąd zapisu poza buforem umożliwiający RCE
MediaTek WLAN Driver — zapis poza granicami bufora umożliwia RCE