CVE-2026-20450

# Conceptual PoC for triggering DoS via Rogue Base Station # Note: This is a simulation for demonstration purposes. import sys def simulate_rogue_base_station_interaction(): """ Simulates sending a malformed packet to a MediaTek Modem to trigger the error handling crash (Issue ID: MSV-6100). """ target_modem_interface = "wwan0" print(f"[*] Initializing rogue base station simulation on {target_modem_interface}...") # In a real scenario, specific cellular protocol messages (e.g., RRC, NAS) # would be crafted to exploit the incorrect error handling. # This represents the trigger payload. malicious_payload = { "msg_type": "MALFORMED_RRC_CONFIG", "cause": "TRIGGER_ERROR_HANDLER" } try: print(f"[*] Sending crafted payload to trigger crash: {malicious_payload}") # send_packet(target_modem_interface, malicious_payload) print("[!] Exploit successful: Target modem should crash and restart.") except Exception as e: print(f"[-] Simulation failed: {e}") if __name__ == "__main__": simulate_rogue_base_station_interaction()

{"cve": {"id": "CVE-2026-20450", "sourceIdentifier": "[email protected]", "published": "2026-05-04T07:15:59.723", "lastModified": "2026-05-07T12:42:53.157", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01753620; Issue ID: MSV-6100."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt2735_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A0D40745-FA7E-40DF-BCA6-24CECBB0AE43"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt2735:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F1D09FC-5BE9-4B23-82F1-3C6EAC5711A6"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt2737_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "85F4E58C-A9BC-4116-A844-B94C6B6566FA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt2737:-:*:*:*:*:*:*:*", "matchCriteriaId": "9C2A1118-B5F7-4EF5-B329-0887B5F3430E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt6833_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BA0F3AD5-4D2B-4480-AA79-44EFD4E29348"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6833:-:*:*:*:*:*:*:*", "matchCriteriaId": "9814939B-F05E-4870-90C0-7C0F6BAAEB39"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt6835_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "00B1D726-8183-4667-B46D-18EF110EA9D9"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:*", "matchCriteriaId": "19A63103-C708-48EC-B44D-5E465A6B79C5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt6853_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "3EAA5C86-701B-4116-8A63-EB89B3DC2B93"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6853:-:*:*:*:*:*:*:*", "matchCriteriaId": "366F1912-756B-443E-9962-224937DD7DFB"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt6855_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E997ED4F-33F3-4508-9B12-99DBA0D845B2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6855:-:*:*:*:*:*:*:*", "matchCriteriaId": "89AFEE24-7AAD-4EDB-8C3E-EDBA3240730A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt6858_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "3BECB082-4B77-4ECC-968B-B00E48C06240"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6858:-:*:*:*:*:*:*:*", "matchCriteriaId": "C61AD730-66FE-4605-A89B-3B8D6526D612"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt6873_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "3E12A313-E835-4912-9392-E33428C1AC78"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6873:-:*:*:*:*:*:*:*", "matchCriteriaId": "F6B8A36E-C5FB-44AE-A1C3-50EBF4C68F6B"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt6875_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "5228A4E6-9E36-41E4-A157-3CBA6C79DE06"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6875:-:*:*:*:*:*:*:*", "matchCriteriaId": "80BDC5EC- ... (truncated)