CVE-2026-20451

Description

In slbc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10828685; Issue ID: MSV-6504.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:mediatek:mt8115_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:mediatek:mt8115:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:mediatek:mt8186_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:mediatek:mt8186:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:mediatek:mt8188_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:mediatek:mt8188:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:mediatek:mt8196_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:mediatek:mt8196:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:mediatek:mt8365_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:mediatek:mt8365:-:*:*:*:*:*:*:* - NOT VULNERABLE

MediaTek slbc (Patch ID: ALPS10828685 之前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Conceptual PoC for Type Confusion leading to Out of Bounds Write
// This code simulates the logic of the vulnerability.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// Structure representing the smaller object
struct SmallObject {
    int id;
    char name[8];
};

// Structure representing the larger object
struct LargeObject {
    int id;
    long data;
    char buffer[16];
};

// Vulnerable function that assumes input is LargeObject based on a flag
void vulnerable_function(void* input, int is_large) {
    if (is_large) {
        struct LargeObject* large = (struct LargeObject*)input;
        printf("Treating as LargeObject\n");
        // This write will overflow if input was actually SmallObject
        large->data = 0xDEADBEEF;
        strcpy(large->buffer, "ExploitData");
    } else {
        struct SmallObject* small = (struct SmallObject*)input;
        printf("Treating as SmallObject\n");
        small->id = 1;
    }
}

int main() {
    // Allocation mimicking the vulnerable component's memory handling
    struct SmallObject* obj = (struct SmallObject*)malloc(sizeof(struct SmallObject));
    obj->id = 100;
    
    printf("Original object size: %lu\n", sizeof(struct SmallObject));
    
    // Triggering the type confusion:
    // Passing a SmallObject but telling the function it is a LargeObject.
    // This causes an Out of Bounds Write relative to the allocated memory.
    printf("Triggering vulnerability...\n");
    vulnerable_function(obj, 1);
    
    free(obj);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20451
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20451
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20451/
[4] VulDB https://vuldb.com/cve/CVE-2026-20451
[5] https://corp.mediatek.com/product-security-bulletin/May-2026

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20451", "sourceIdentifier": "[email protected]", "published": "2026-05-04T07:15:59.840", "lastModified": "2026-05-07T12:42:44.807", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In slbc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10828685; Issue ID: MSV-6504."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-843"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt8115_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "6C2BA9A9-C865-4AC8-9BF0-0F678B0E5014"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8115:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2428897-5F6E-4B63-ADDC-0C15BDF2C565"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt8186_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "3CEE2EEE-3512-429F-9DAD-E17D64CE447D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8186:-:*:*:*:*:*:*:*", "matchCriteriaId": "E4932D34-06F4-49D7-81FB-772A82E8A5B5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt8188_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "30E10DDB-6D3D-42CB-9DB9-ED25E6163D3D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8188:-:*:*:*:*:*:*:*", "matchCriteriaId": "BA3D4A45-38EE-4125-AE67-89D1C707F95A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt8196_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE7B4BD3-A945-4C45-8E76-CEE2ADE2001E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8196:-:*:*:*:*:*:*:*", "matchCriteriaId": "FB0C4D80-28BC-4C4D-B522-AD9EC5222A2E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt8365_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "76A9E1A0-FDEB-4FA5-BEF8-FAB8BF72E7A3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8365:-:*:*:*:*:*:*:*", "matchCriteriaId": "97C76F98-5D8D-4E52-ABAF-CD27C1205B0E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt8367_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "32C24935-B6E6-4923-B81C-D29BBEED2B3C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8367:-:*:*:*:*:*:*:*", "matchCriteriaId": "A28FA947-314F-465B-8ADD-F7973F02D82A"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt8370_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "7619B640-32C6-435B-AABB-E3D11C3B03FE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8370:-:*:*:*:*:*:*:*", "matchCriteriaId": "DA2B6BB9-7544-41A7-BF3A-344AA4CC4B31"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt8371_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "10C6D722-06CE-4C33-B67B-D5E92BD2B66C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8371:-:*:*:*:*:*:*:*", "matchCriteriaId": "7A5AEBAB-CE39-4272-83ED-18E6528787E5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:mt8390_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "9627AD8C-49C7-43C4-850E-6BC37FA2F619"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8390:-:*:*:*:*:*:*:*", "matchCriteriaId": "B774B7D7-B7DD-43A0-833F-7E39DF82CA60"}]}]}, {"operator": "AND", "nodes": [{"op ... (truncated)