Search
Find a vulnerability
Search criteria
269 vulnerabilities found for openwrt by openwrt
CVE-2026-32721 (GCVE-0-2026-32721)
Vulnerability from nvd – Published: 2026-03-19 22:46 – Updated: 2026-03-25 03:56
VLAI
Title
LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal
Summary
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openwrt/luci/security/advisori… | x_refsource_CONFIRM |
| https://github.com/openwrt/luci/commit/068150ba5f… | x_refsource_MISC |
| https://github.com/openwrt/luci/commit/cdce600aae… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T03:56:15.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "luci",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003c 26.072.65753~068150b"
}
]
},
{
"product": "openwrt",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003c 24.10.6"
},
{
"status": "affected",
"version": "\u003e= 25.12.0, \u003c 25.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:46:43.909Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrw"
},
{
"name": "https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6"
},
{
"name": "https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7"
}
],
"source": {
"advisory": "GHSA-vvj6-7362-pjrw",
"discovery": "UNKNOWN"
},
"title": "LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32721",
"datePublished": "2026-03-19T22:46:43.909Z",
"dateReserved": "2026-03-13T15:02:00.625Z",
"dateUpdated": "2026-03-25T03:56:15.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30874 (GCVE-0-2026-30874)
Vulnerability from nvd – Published: 2026-03-19 22:36 – Updated: 2026-03-20 18:09
VLAI
Title
OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation
Summary
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/openwrt/openwrt/security/advis… | x_refsource_CONFIRM |
| https://github.com/openwrt/procd/commit/e08cdc856… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30874",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T17:13:02.973267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:09:36.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openwrt",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003c 24.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal \"PATH\", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-187",
"description": "CWE-187: Partial String Comparison",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:36:04.507Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934"
},
{
"name": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81"
}
],
"source": {
"advisory": "GHSA-jw28-hxcm-j934",
"discovery": "UNKNOWN"
},
"title": "OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30874",
"datePublished": "2026-03-19T22:36:04.507Z",
"dateReserved": "2026-03-06T00:04:56.699Z",
"dateUpdated": "2026-03-20T18:09:36.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30873 (GCVE-0-2026-30873)
Vulnerability from nvd – Published: 2026-03-19 22:01 – Updated: 2026-03-21 03:26
VLAI
Title
OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens
Summary
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openwrt/openwrt/security/advis… | x_refsource_CONFIRM |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-21T03:25:41.581578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T03:26:08.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openwrt",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
},
{
"status": "affected",
"version": "\u003c 24.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 2.4,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:01:03.867Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
}
],
"source": {
"advisory": "GHSA-rcc6-v4r6-gj4m",
"discovery": "UNKNOWN"
},
"title": "OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30873",
"datePublished": "2026-03-19T22:01:03.867Z",
"dateReserved": "2026-03-06T00:04:56.698Z",
"dateUpdated": "2026-03-21T03:26:08.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30872 (GCVE-0-2026-30872)
Vulnerability from nvd – Published: 2026-03-19 21:56 – Updated: 2026-03-25 03:56
VLAI
Title
OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup
Summary
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openwrt/openwrt/security/advis… | x_refsource_CONFIRM |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T03:56:13.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openwrt",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
},
{
"status": "affected",
"version": "\u003c 24.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T21:56:23.472Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
}
],
"source": {
"advisory": "GHSA-mpgh-v658-jqv5",
"discovery": "UNKNOWN"
},
"title": "OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30872",
"datePublished": "2026-03-19T21:56:23.472Z",
"dateReserved": "2026-03-06T00:04:56.698Z",
"dateUpdated": "2026-03-25T03:56:13.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30871 (GCVE-0-2026-30871)
Vulnerability from nvd – Published: 2026-03-19 21:49 – Updated: 2026-03-25 03:56
VLAI
Title
OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query
Summary
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openwrt/openwrt/security/advis… | x_refsource_CONFIRM |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T03:56:12.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openwrt",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003c 24.10.6"
},
{
"status": "affected",
"version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \\001), significantly inflating the expanded name beyond the stack buffer\u0027s capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T21:49:50.876Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
}
],
"source": {
"advisory": "GHSA-7c3j-f7w2-p8f6",
"discovery": "UNKNOWN"
},
"title": "OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30871",
"datePublished": "2026-03-19T21:49:50.876Z",
"dateReserved": "2026-03-06T00:04:56.698Z",
"dateUpdated": "2026-03-25T03:56:12.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20435 (GCVE-0-2026-20435)
Vulnerability from nvd – Published: 2026-03-02 08:39 – Updated: 2026-03-30 13:05
VLAI
Summary
In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.
Severity
4.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MediaTek chipset |
Affected:
MT2737
Affected: MT6739 Affected: MT6761 Affected: MT6765 Affected: MT6768 Affected: MT6781 Affected: MT6789 Affected: MT6813 Affected: MT6833 Affected: MT6853 Affected: MT6855 Affected: MT6877 Affected: MT6878 Affected: MT6879 Affected: MT6880 Affected: MT6885 Affected: MT6886 Affected: MT6890 Affected: MT6893 Affected: MT6895 Affected: MT6897 Affected: MT6983 Affected: MT6985 Affected: MT6989 Affected: MT6990 Affected: MT6993 Affected: MT8169 Affected: MT8186 Affected: MT8188 Affected: MT8370 Affected: MT8390 Affected: MT8676 Affected: MT8678 Affected: MT8696 Affected: MT8793 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T13:35:00.235194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T13:35:04.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaTek chipset",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "MT2737"
},
{
"status": "affected",
"version": "MT6739"
},
{
"status": "affected",
"version": "MT6761"
},
{
"status": "affected",
"version": "MT6765"
},
{
"status": "affected",
"version": "MT6768"
},
{
"status": "affected",
"version": "MT6781"
},
{
"status": "affected",
"version": "MT6789"
},
{
"status": "affected",
"version": "MT6813"
},
{
"status": "affected",
"version": "MT6833"
},
{
"status": "affected",
"version": "MT6853"
},
{
"status": "affected",
"version": "MT6855"
},
{
"status": "affected",
"version": "MT6877"
},
{
"status": "affected",
"version": "MT6878"
},
{
"status": "affected",
"version": "MT6879"
},
{
"status": "affected",
"version": "MT6880"
},
{
"status": "affected",
"version": "MT6885"
},
{
"status": "affected",
"version": "MT6886"
},
{
"status": "affected",
"version": "MT6890"
},
{
"status": "affected",
"version": "MT6893"
},
{
"status": "affected",
"version": "MT6895"
},
{
"status": "affected",
"version": "MT6897"
},
{
"status": "affected",
"version": "MT6983"
},
{
"status": "affected",
"version": "MT6985"
},
{
"status": "affected",
"version": "MT6989"
},
{
"status": "affected",
"version": "MT6990"
},
{
"status": "affected",
"version": "MT6993"
},
{
"status": "affected",
"version": "MT8169"
},
{
"status": "affected",
"version": "MT8186"
},
{
"status": "affected",
"version": "MT8188"
},
{
"status": "affected",
"version": "MT8370"
},
{
"status": "affected",
"version": "MT8390"
},
{
"status": "affected",
"version": "MT8676"
},
{
"status": "affected",
"version": "MT8678"
},
{
"status": "affected",
"version": "MT8696"
},
{
"status": "affected",
"version": "MT8793"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T13:05:38.348Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/March-2026"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2026-20435",
"datePublished": "2026-03-02T08:39:12.070Z",
"dateReserved": "2025-11-03T01:30:59.011Z",
"dateUpdated": "2026-03-30T13:05:38.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20430 (GCVE-0-2026-20430)
Vulnerability from nvd – Published: 2026-03-02 08:39 – Updated: 2026-03-30 13:05
VLAI
Summary
In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MediaTek chipset |
Affected:
MT6890
Affected: MT7915 Affected: MT7916 Affected: MT7981 Affected: MT7986 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20430",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T04:55:59.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaTek chipset",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "MT6890"
},
{
"status": "affected",
"version": "MT7915"
},
{
"status": "affected",
"version": "MT7916"
},
{
"status": "affected",
"version": "MT7981"
},
{
"status": "affected",
"version": "MT7986"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T13:05:32.389Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/March-2026"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2026-20430",
"datePublished": "2026-03-02T08:39:08.082Z",
"dateReserved": "2025-11-03T01:30:59.011Z",
"dateUpdated": "2026-03-30T13:05:32.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20419 (GCVE-0-2026-20419)
Vulnerability from nvd – Published: 2026-02-02 08:16 – Updated: 2026-03-30 13:03
VLAI
Summary
In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception. This could lead to remote (proximal/adjacent) denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461663 / WCNCR00463309; Issue ID: MSV-4852.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MediaTek chipset |
Affected:
MT6890
Affected: MT6989TB Affected: MT7902 Affected: MT7915 Affected: MT7916 Affected: MT7920 Affected: MT7921 Affected: MT7922 Affected: MT7925 Affected: MT7927 Affected: MT7981 Affected: MT7986 Affected: MT8196 Affected: MT8668 Affected: MT8676 Affected: MT8678 Affected: MT8775 Affected: MT8791T Affected: MT8792 Affected: MT8793 Affected: MT8796 Affected: MT8873 Affected: MT8883 Affected: MT8893 Affected: MT8910 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T16:11:25.115269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T16:11:40.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaTek chipset",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "MT6890"
},
{
"status": "affected",
"version": "MT6989TB"
},
{
"status": "affected",
"version": "MT7902"
},
{
"status": "affected",
"version": "MT7915"
},
{
"status": "affected",
"version": "MT7916"
},
{
"status": "affected",
"version": "MT7920"
},
{
"status": "affected",
"version": "MT7921"
},
{
"status": "affected",
"version": "MT7922"
},
{
"status": "affected",
"version": "MT7925"
},
{
"status": "affected",
"version": "MT7927"
},
{
"status": "affected",
"version": "MT7981"
},
{
"status": "affected",
"version": "MT7986"
},
{
"status": "affected",
"version": "MT8196"
},
{
"status": "affected",
"version": "MT8668"
},
{
"status": "affected",
"version": "MT8676"
},
{
"status": "affected",
"version": "MT8678"
},
{
"status": "affected",
"version": "MT8775"
},
{
"status": "affected",
"version": "MT8791T"
},
{
"status": "affected",
"version": "MT8792"
},
{
"status": "affected",
"version": "MT8793"
},
{
"status": "affected",
"version": "MT8796"
},
{
"status": "affected",
"version": "MT8873"
},
{
"status": "affected",
"version": "MT8883"
},
{
"status": "affected",
"version": "MT8893"
},
{
"status": "affected",
"version": "MT8910"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception. This could lead to remote (proximal/adjacent) denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461663 / WCNCR00463309; Issue ID: MSV-4852."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T13:03:33.830Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2026-20419",
"datePublished": "2026-02-02T08:16:46.837Z",
"dateReserved": "2025-11-03T01:30:59.009Z",
"dateUpdated": "2026-03-30T13:03:33.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20408 (GCVE-0-2026-20408)
Vulnerability from nvd – Published: 2026-02-02 08:14 – Updated: 2026-03-30 13:02
VLAI
Summary
In wlan, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461651; Issue ID: MSV-4758.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MediaTek chipset |
Affected:
MT6890
Affected: MT7615 Affected: MT7915 Affected: MT7916 Affected: MT7981 Affected: MT7986 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T04:55:40.470235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:39.421Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaTek chipset",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "MT6890"
},
{
"status": "affected",
"version": "MT7615"
},
{
"status": "affected",
"version": "MT7915"
},
{
"status": "affected",
"version": "MT7916"
},
{
"status": "affected",
"version": "MT7981"
},
{
"status": "affected",
"version": "MT7986"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461651; Issue ID: MSV-4758."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T13:02:57.756Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2026-20408",
"datePublished": "2026-02-02T08:14:56.694Z",
"dateReserved": "2025-11-03T01:30:59.008Z",
"dateUpdated": "2026-03-30T13:02:57.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20765 (GCVE-0-2025-20765)
Vulnerability from nvd – Published: 2025-12-02 02:34 – Updated: 2026-01-13 14:32
VLAI
Summary
In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
1 reference
Impacted products
1 product
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T14:54:51.695288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T14:32:32.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT2718, MT2737, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6893, MT6895, MT6897, MT6899, MT6980D, MT6983, MT6985, MT6989, MT6990, MT6991, MT8113, MT8115, MT8139, MT8163, MT8168, MT8169, MT8183, MT8186, MT8188, MT8512, MT8516, MT8518, MT8519, MT8532, MT8676, MT8678, MT8695, MT8696, MT8698",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "Android 14.0, 15.0, 16.0 / openWRT 21.02, 23.05 / Yocto 4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T09:32:55.184Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/December-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20765",
"datePublished": "2025-12-02T02:34:28.595Z",
"dateReserved": "2024-11-01T01:21:50.398Z",
"dateUpdated": "2026-01-13T14:32:32.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20748 (GCVE-0-2025-20748)
Vulnerability from nvd – Published: 2025-11-04 06:20 – Updated: 2026-02-26 17:47
VLAI
Summary
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00432679; Issue ID: MSV-3950.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 |
Affected:
SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T04:55:29.955474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:20.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "SDK release 7.6.7.2 and before / openWRT 19.07, 21.02"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00432679; Issue ID: MSV-3950."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T05:32:32.208Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/November-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20748",
"datePublished": "2025-11-04T06:20:23.128Z",
"dateReserved": "2024-11-01T01:21:50.396Z",
"dateUpdated": "2026-02-26T17:47:20.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20747 (GCVE-0-2025-20747)
Vulnerability from nvd – Published: 2025-11-04 06:20 – Updated: 2026-02-26 17:47
VLAI
Summary
In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010443; Issue ID: MSV-3966.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT2718, MT2737, MT6835, MT6878, MT6886, MT6897, MT6899, MT6982, MT6985, MT6986, MT6986D, MT6989, MT6990, MT6991, MT8676, MT8678, MT8755, MT8893 |
Affected:
Android 14.0, 15.0 / openWRT 21.02, 23.05 / Yocto 4.0 / RDK-B 24Q1 / Zephyr 3.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T04:55:31.620548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:20.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT2718, MT2737, MT6835, MT6878, MT6886, MT6897, MT6899, MT6982, MT6985, MT6986, MT6986D, MT6989, MT6990, MT6991, MT8676, MT8678, MT8755, MT8893",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "Android 14.0, 15.0 / openWRT 21.02, 23.05 / Yocto 4.0 / RDK-B 24Q1 / Zephyr 3.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010443; Issue ID: MSV-3966."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T06:20:19.607Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/November-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20747",
"datePublished": "2025-11-04T06:20:19.607Z",
"dateReserved": "2024-11-01T01:21:50.396Z",
"dateUpdated": "2026-02-26T17:47:20.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20746 (GCVE-0-2025-20746)
Vulnerability from nvd – Published: 2025-11-04 06:20 – Updated: 2026-02-26 17:47
VLAI
Summary
In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010441; Issue ID: MSV-3967.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT2718, MT2737, MT6835, MT6878, MT6886, MT6897, MT6899, MT6982, MT6985, MT6986, MT6986D, MT6989, MT6990, MT6991, MT8676, MT8678, MT8755, MT8893 |
Affected:
Android 14.0, 15.0 / openWRT 21.02, 23.05 / Yocto 4.0 / RDK-B 24Q1 / Zephyr 3.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T04:55:33.285765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:21.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT2718, MT2737, MT6835, MT6878, MT6886, MT6897, MT6899, MT6982, MT6985, MT6986, MT6986D, MT6989, MT6990, MT6991, MT8676, MT8678, MT8755, MT8893",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "Android 14.0, 15.0 / openWRT 21.02, 23.05 / Yocto 4.0 / RDK-B 24Q1 / Zephyr 3.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010441; Issue ID: MSV-3967."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T06:20:17.860Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/November-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20746",
"datePublished": "2025-11-04T06:20:17.860Z",
"dateReserved": "2024-11-01T01:21:50.396Z",
"dateUpdated": "2026-02-26T17:47:21.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20742 (GCVE-0-2025-20742)
Vulnerability from nvd – Published: 2025-11-04 06:19 – Updated: 2026-02-26 17:47
VLAI
Summary
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00432680; Issue ID: MSV-3949.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT6890, MT7603, MT7615, MT7622, MT7915, MT7916, MT7981, MT7986 |
Affected:
SDK release 7.6.7.2 and before / OpenWrt 19.07, 21.02 (MT6890)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T04:55:44.490638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:25.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT6890, MT7603, MT7615, MT7622, MT7915, MT7916, MT7981, MT7986",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "SDK release 7.6.7.2 and before / OpenWrt 19.07, 21.02 (MT6890)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00432680; Issue ID: MSV-3949."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T06:19:56.287Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/November-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20742",
"datePublished": "2025-11-04T06:19:56.287Z",
"dateReserved": "2024-11-01T01:21:50.395Z",
"dateUpdated": "2026-02-26T17:47:25.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20741 (GCVE-0-2025-20741)
Vulnerability from nvd – Published: 2025-11-04 06:20 – Updated: 2026-02-26 17:47
VLAI
Summary
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00434422; Issue ID: MSV-3958.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 |
Affected:
SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T04:55:30.834149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:20.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "SDK release 7.6.7.2 and before / openWRT 19.07, 21.02"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00434422; Issue ID: MSV-3958."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T06:20:21.366Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/November-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20741",
"datePublished": "2025-11-04T06:20:21.366Z",
"dateReserved": "2024-11-01T01:21:50.395Z",
"dateUpdated": "2026-02-26T17:47:20.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20739 (GCVE-0-2025-20739)
Vulnerability from nvd – Published: 2025-11-04 06:20 – Updated: 2026-02-26 17:47
VLAI
Summary
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00435340; Issue ID: MSV-4038.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 |
Affected:
SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20739",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T04:55:34.067524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:21.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "SDK release 7.6.7.2 and before / openWRT 19.07, 21.02"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00435340; Issue ID: MSV-4038."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T06:20:16.025Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/November-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20739",
"datePublished": "2025-11-04T06:20:16.025Z",
"dateReserved": "2024-11-01T01:21:50.395Z",
"dateUpdated": "2026-02-26T17:47:21.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20738 (GCVE-0-2025-20738)
Vulnerability from nvd – Published: 2025-11-04 06:20 – Updated: 2026-02-26 17:47
VLAI
Summary
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00435342; Issue ID: MSV-4039.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 |
Affected:
SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T04:55:34.873661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:21.974Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "SDK release 7.6.7.2 and before / openWRT 19.07, 21.02"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00435342; Issue ID: MSV-4039."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T06:20:14.296Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/November-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20738",
"datePublished": "2025-11-04T06:20:14.296Z",
"dateReserved": "2024-11-01T01:21:50.395Z",
"dateUpdated": "2026-02-26T17:47:21.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20737 (GCVE-0-2025-20737)
Vulnerability from nvd – Published: 2025-11-04 06:19 – Updated: 2026-02-26 17:47
VLAI
Summary
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00435343; Issue ID: MSV-4040.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 |
Affected:
Versions:SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T04:55:43.623620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:25.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "Versions:SDK release 7.6.7.2 and before / openWRT 19.07, 21.02"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00435343; Issue ID: MSV-4040."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T06:19:52.883Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/November-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20737",
"datePublished": "2025-11-04T06:19:52.883Z",
"dateReserved": "2024-11-01T01:21:50.395Z",
"dateUpdated": "2026-02-26T17:47:25.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20736 (GCVE-0-2025-20736)
Vulnerability from nvd – Published: 2025-11-04 06:20 – Updated: 2026-02-26 17:47
VLAI
Summary
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00435347; Issue ID: MSV-4049.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 |
Affected:
SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20736",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T04:55:35.653762Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:22.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "SDK release 7.6.7.2 and before / openWRT 19.07, 21.02"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: WCNCR00435347; Issue ID: MSV-4049."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T06:20:12.530Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/November-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20736",
"datePublished": "2025-11-04T06:20:12.530Z",
"dateReserved": "2024-11-01T01:21:50.395Z",
"dateUpdated": "2026-02-26T17:47:22.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20735 (GCVE-0-2025-20735)
Vulnerability from nvd – Published: 2025-11-04 06:19 – Updated: 2026-02-26 17:47
VLAI
Summary
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00435349; Issue ID: MSV-4051.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 |
Affected:
SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20735",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T04:55:42.660721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:26.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "SDK release 7.6.7.2 and before / openWRT 19.07, 21.02"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00435349; Issue ID: MSV-4051."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T06:19:50.999Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/November-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20735",
"datePublished": "2025-11-04T06:19:50.999Z",
"dateReserved": "2024-11-01T01:21:50.394Z",
"dateUpdated": "2026-02-26T17:47:26.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32721 (GCVE-0-2026-32721)
Vulnerability from cvelistv5 – Published: 2026-03-19 22:46 – Updated: 2026-03-25 03:56
VLAI
Title
LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal
Summary
LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openwrt/luci/security/advisori… | x_refsource_CONFIRM |
| https://github.com/openwrt/luci/commit/068150ba5f… | x_refsource_MISC |
| https://github.com/openwrt/luci/commit/cdce600aae… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T03:56:15.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "luci",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003c 26.072.65753~068150b"
}
]
},
{
"product": "openwrt",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003c 24.10.6"
},
{
"status": "affected",
"version": "\u003e= 25.12.0, \u003c 25.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passes SSIDs via a template literal to dom.append(), which processes them through innerHTML, allowing an attacker to craft a malicious SSID containing arbitrary HTML/JavaScript. Exploitation requires the user to actively open the wireless scan modal (e.g., to connect to a Wi-Fi access point or survey nearby channels), and only affects OpenWrt versions newer than 23.05/22.03 up to the patched releases (24.10.6 and 25.12.1). The issue has been fixed in version LuCI 26.072.65753~068150b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:46:43.909Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openwrt/luci/security/advisories/GHSA-vvj6-7362-pjrw"
},
{
"name": "https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/luci/commit/068150ba5f524ef6b03817b258d31ec310053fd6"
},
{
"name": "https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/luci/commit/cdce600aaec66f762f18d608c74cbf3abcafe1c7"
}
],
"source": {
"advisory": "GHSA-vvj6-7362-pjrw",
"discovery": "UNKNOWN"
},
"title": "LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32721",
"datePublished": "2026-03-19T22:46:43.909Z",
"dateReserved": "2026-03-13T15:02:00.625Z",
"dateUpdated": "2026-03-25T03:56:15.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30874 (GCVE-0-2026-30874)
Vulnerability from cvelistv5 – Published: 2026-03-19 22:36 – Updated: 2026-03-20 18:09
VLAI
Title
OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation
Summary
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/openwrt/openwrt/security/advis… | x_refsource_CONFIRM |
| https://github.com/openwrt/procd/commit/e08cdc856… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30874",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T17:13:02.973267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:09:36.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openwrt",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003c 24.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal \"PATH\", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-187",
"description": "CWE-187: Partial String Comparison",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:36:04.507Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-jw28-hxcm-j934"
},
{
"name": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac228a21f3f7605a18c522b81"
}
],
"source": {
"advisory": "GHSA-jw28-hxcm-j934",
"discovery": "UNKNOWN"
},
"title": "OpenWrt procd PATH Environment Variable Filter Bypass via Incorrect String Comparison Leads to Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30874",
"datePublished": "2026-03-19T22:36:04.507Z",
"dateReserved": "2026-03-06T00:04:56.699Z",
"dateUpdated": "2026-03-20T18:09:36.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30873 (GCVE-0-2026-30873)
Vulnerability from cvelistv5 – Published: 2026-03-19 22:01 – Updated: 2026-03-21 03:26
VLAI
Title
OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens
Summary
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openwrt/openwrt/security/advis… | x_refsource_CONFIRM |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-21T03:25:41.581578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T03:26:08.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openwrt",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
},
{
"status": "affected",
"version": "\u003c 24.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 2.4,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:01:03.867Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
}
],
"source": {
"advisory": "GHSA-rcc6-v4r6-gj4m",
"discovery": "UNKNOWN"
},
"title": "OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30873",
"datePublished": "2026-03-19T22:01:03.867Z",
"dateReserved": "2026-03-06T00:04:56.698Z",
"dateUpdated": "2026-03-21T03:26:08.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30872 (GCVE-0-2026-30872)
Vulnerability from cvelistv5 – Published: 2026-03-19 21:56 – Updated: 2026-03-25 03:56
VLAI
Title
OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup
Summary
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openwrt/openwrt/security/advis… | x_refsource_CONFIRM |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T03:56:13.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openwrt",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
},
{
"status": "affected",
"version": "\u003c 24.10.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the match_ipv6_addresses function, triggered when processing PTR queries for IPv6 reverse DNS domains (.ip6.arpa) received via multicast DNS on UDP port 5353. During processing, the domain name from name_buffer is copied via strcpy into a fixed 256-byte stack buffer, and then the reverse IPv6 request is extracted into a buffer of only 46 bytes (INET6_ADDRSTRLEN). Because the length of the data is never validated before this extraction, an attacker can supply input larger than 46 bytes, causing an out-of-bounds write. This allows a specially crafted DNS query to overflow the stack buffer in match_ipv6_addresses, potentially enabling remote code execution. This issue has been fixed in versions 24.10.6 and 25.12.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T21:56:23.472Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-mpgh-v658-jqv5"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
}
],
"source": {
"advisory": "GHSA-mpgh-v658-jqv5",
"discovery": "UNKNOWN"
},
"title": "OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30872",
"datePublished": "2026-03-19T21:56:23.472Z",
"dateReserved": "2026-03-06T00:04:56.698Z",
"dateUpdated": "2026-03-25T03:56:13.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30871 (GCVE-0-2026-30871)
Vulnerability from cvelistv5 – Published: 2026-03-19 21:49 – Updated: 2026-03-25 03:56
VLAI
Title
OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query
Summary
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \001), significantly inflating the expanded name beyond the stack buffer's capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openwrt/openwrt/security/advis… | x_refsource_CONFIRM |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
| https://github.com/openwrt/openwrt/releases/tag/v… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30871",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T03:56:12.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openwrt",
"vendor": "openwrt",
"versions": [
{
"status": "affected",
"version": "\u003c 24.10.6"
},
{
"status": "affected",
"version": "\u003e= 25.12.0-rc1, \u003c 25.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6 and 25.12.1, the mdns daemon has a Stack-based Buffer Overflow vulnerability in the parse_question function. The issue is triggered by PTR queries for reverse DNS domains (.in-addr.arpa and .ip6.arpa). DNS packets received on UDP port 5353 are expanded by dn_expand into an 8096-byte global buffer (name_buffer), which is then copied via an unbounded strcpy into a fixed 256-byte stack buffer when handling TYPE_PTR queries. The overflow is possible because dn_expand converts non-printable ASCII bytes (e.g., 0x01) into multi-character octal representations (e.g., \\001), significantly inflating the expanded name beyond the stack buffer\u0027s capacity. A crafted DNS packet can exploit this expansion behavior to overflow the stack buffer, making the vulnerability reachable through normal multicast DNS packet processing. This issue has been fixed in versions 24.10.6 and 25.12.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T21:49:50.876Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-7c3j-f7w2-p8f6"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"
},
{
"name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"
}
],
"source": {
"advisory": "GHSA-7c3j-f7w2-p8f6",
"discovery": "UNKNOWN"
},
"title": "OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30871",
"datePublished": "2026-03-19T21:49:50.876Z",
"dateReserved": "2026-03-06T00:04:56.698Z",
"dateUpdated": "2026-03-25T03:56:12.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20435 (GCVE-0-2026-20435)
Vulnerability from cvelistv5 – Published: 2026-03-02 08:39 – Updated: 2026-03-30 13:05
VLAI
Summary
In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.
Severity
4.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MediaTek chipset |
Affected:
MT2737
Affected: MT6739 Affected: MT6761 Affected: MT6765 Affected: MT6768 Affected: MT6781 Affected: MT6789 Affected: MT6813 Affected: MT6833 Affected: MT6853 Affected: MT6855 Affected: MT6877 Affected: MT6878 Affected: MT6879 Affected: MT6880 Affected: MT6885 Affected: MT6886 Affected: MT6890 Affected: MT6893 Affected: MT6895 Affected: MT6897 Affected: MT6983 Affected: MT6985 Affected: MT6989 Affected: MT6990 Affected: MT6993 Affected: MT8169 Affected: MT8186 Affected: MT8188 Affected: MT8370 Affected: MT8390 Affected: MT8676 Affected: MT8678 Affected: MT8696 Affected: MT8793 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T13:35:00.235194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T13:35:04.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaTek chipset",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "MT2737"
},
{
"status": "affected",
"version": "MT6739"
},
{
"status": "affected",
"version": "MT6761"
},
{
"status": "affected",
"version": "MT6765"
},
{
"status": "affected",
"version": "MT6768"
},
{
"status": "affected",
"version": "MT6781"
},
{
"status": "affected",
"version": "MT6789"
},
{
"status": "affected",
"version": "MT6813"
},
{
"status": "affected",
"version": "MT6833"
},
{
"status": "affected",
"version": "MT6853"
},
{
"status": "affected",
"version": "MT6855"
},
{
"status": "affected",
"version": "MT6877"
},
{
"status": "affected",
"version": "MT6878"
},
{
"status": "affected",
"version": "MT6879"
},
{
"status": "affected",
"version": "MT6880"
},
{
"status": "affected",
"version": "MT6885"
},
{
"status": "affected",
"version": "MT6886"
},
{
"status": "affected",
"version": "MT6890"
},
{
"status": "affected",
"version": "MT6893"
},
{
"status": "affected",
"version": "MT6895"
},
{
"status": "affected",
"version": "MT6897"
},
{
"status": "affected",
"version": "MT6983"
},
{
"status": "affected",
"version": "MT6985"
},
{
"status": "affected",
"version": "MT6989"
},
{
"status": "affected",
"version": "MT6990"
},
{
"status": "affected",
"version": "MT6993"
},
{
"status": "affected",
"version": "MT8169"
},
{
"status": "affected",
"version": "MT8186"
},
{
"status": "affected",
"version": "MT8188"
},
{
"status": "affected",
"version": "MT8370"
},
{
"status": "affected",
"version": "MT8390"
},
{
"status": "affected",
"version": "MT8676"
},
{
"status": "affected",
"version": "MT8678"
},
{
"status": "affected",
"version": "MT8696"
},
{
"status": "affected",
"version": "MT8793"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T13:05:38.348Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/March-2026"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2026-20435",
"datePublished": "2026-03-02T08:39:12.070Z",
"dateReserved": "2025-11-03T01:30:59.011Z",
"dateUpdated": "2026-03-30T13:05:38.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20430 (GCVE-0-2026-20430)
Vulnerability from cvelistv5 – Published: 2026-03-02 08:39 – Updated: 2026-03-30 13:05
VLAI
Summary
In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MediaTek chipset |
Affected:
MT6890
Affected: MT7915 Affected: MT7916 Affected: MT7981 Affected: MT7986 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20430",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T04:55:59.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaTek chipset",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "MT6890"
},
{
"status": "affected",
"version": "MT7915"
},
{
"status": "affected",
"version": "MT7916"
},
{
"status": "affected",
"version": "MT7981"
},
{
"status": "affected",
"version": "MT7986"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00467553; Issue ID: MSV-5151."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T13:05:32.389Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/March-2026"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2026-20430",
"datePublished": "2026-03-02T08:39:08.082Z",
"dateReserved": "2025-11-03T01:30:59.011Z",
"dateUpdated": "2026-03-30T13:05:32.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20419 (GCVE-0-2026-20419)
Vulnerability from cvelistv5 – Published: 2026-02-02 08:16 – Updated: 2026-03-30 13:03
VLAI
Summary
In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception. This could lead to remote (proximal/adjacent) denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461663 / WCNCR00463309; Issue ID: MSV-4852.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MediaTek chipset |
Affected:
MT6890
Affected: MT6989TB Affected: MT7902 Affected: MT7915 Affected: MT7916 Affected: MT7920 Affected: MT7921 Affected: MT7922 Affected: MT7925 Affected: MT7927 Affected: MT7981 Affected: MT7986 Affected: MT8196 Affected: MT8668 Affected: MT8676 Affected: MT8678 Affected: MT8775 Affected: MT8791T Affected: MT8792 Affected: MT8793 Affected: MT8796 Affected: MT8873 Affected: MT8883 Affected: MT8893 Affected: MT8910 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T16:11:25.115269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T16:11:40.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaTek chipset",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "MT6890"
},
{
"status": "affected",
"version": "MT6989TB"
},
{
"status": "affected",
"version": "MT7902"
},
{
"status": "affected",
"version": "MT7915"
},
{
"status": "affected",
"version": "MT7916"
},
{
"status": "affected",
"version": "MT7920"
},
{
"status": "affected",
"version": "MT7921"
},
{
"status": "affected",
"version": "MT7922"
},
{
"status": "affected",
"version": "MT7925"
},
{
"status": "affected",
"version": "MT7927"
},
{
"status": "affected",
"version": "MT7981"
},
{
"status": "affected",
"version": "MT7986"
},
{
"status": "affected",
"version": "MT8196"
},
{
"status": "affected",
"version": "MT8668"
},
{
"status": "affected",
"version": "MT8676"
},
{
"status": "affected",
"version": "MT8678"
},
{
"status": "affected",
"version": "MT8775"
},
{
"status": "affected",
"version": "MT8791T"
},
{
"status": "affected",
"version": "MT8792"
},
{
"status": "affected",
"version": "MT8793"
},
{
"status": "affected",
"version": "MT8796"
},
{
"status": "affected",
"version": "MT8873"
},
{
"status": "affected",
"version": "MT8883"
},
{
"status": "affected",
"version": "MT8893"
},
{
"status": "affected",
"version": "MT8910"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception. This could lead to remote (proximal/adjacent) denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461663 / WCNCR00463309; Issue ID: MSV-4852."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T13:03:33.830Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2026-20419",
"datePublished": "2026-02-02T08:16:46.837Z",
"dateReserved": "2025-11-03T01:30:59.009Z",
"dateUpdated": "2026-03-30T13:03:33.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20408 (GCVE-0-2026-20408)
Vulnerability from cvelistv5 – Published: 2026-02-02 08:14 – Updated: 2026-03-30 13:02
VLAI
Summary
In wlan, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461651; Issue ID: MSV-4758.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MediaTek chipset |
Affected:
MT6890
Affected: MT7615 Affected: MT7915 Affected: MT7916 Affected: MT7981 Affected: MT7986 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T04:55:40.470235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:39.421Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaTek chipset",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "MT6890"
},
{
"status": "affected",
"version": "MT7615"
},
{
"status": "affected",
"version": "MT7915"
},
{
"status": "affected",
"version": "MT7916"
},
{
"status": "affected",
"version": "MT7981"
},
{
"status": "affected",
"version": "MT7986"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In wlan, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461651; Issue ID: MSV-4758."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T13:02:57.756Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2026-20408",
"datePublished": "2026-02-02T08:14:56.694Z",
"dateReserved": "2025-11-03T01:30:59.008Z",
"dateUpdated": "2026-03-30T13:02:57.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-20765 (GCVE-0-2025-20765)
Vulnerability from cvelistv5 – Published: 2025-12-02 02:34 – Updated: 2026-01-13 14:32
VLAI
Summary
In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
1 reference
Impacted products
1 product
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-20765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T14:54:51.695288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T14:32:32.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MT2718, MT2737, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6893, MT6895, MT6897, MT6899, MT6980D, MT6983, MT6985, MT6989, MT6990, MT6991, MT8113, MT8115, MT8139, MT8163, MT8168, MT8169, MT8183, MT8186, MT8188, MT8512, MT8516, MT8518, MT8519, MT8532, MT8676, MT8678, MT8695, MT8696, MT8698",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "Android 14.0, 15.0, 16.0 / openWRT 21.02, 23.05 / Yocto 4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T09:32:55.184Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/December-2025"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2025-20765",
"datePublished": "2025-12-02T02:34:28.595Z",
"dateReserved": "2024-11-01T01:21:50.398Z",
"dateUpdated": "2026-01-13T14:32:32.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}