#VU66967 Out-of-bounds write in MediaTek Mobile applications


Published: 2022-09-05

Vulnerability identifier: #VU66967

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-26458

CWE-ID: CWE-787

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
MT6853
Hardware solutions / Firmware
MT6873
Hardware solutions / Firmware
MT6877
Hardware solutions / Firmware
MT6883
Hardware solutions / Firmware
MT6885
Hardware solutions / Firmware
MT6893
Hardware solutions / Firmware
MT8797
Hardware solutions / Firmware
MT6855
Mobile applications / Mobile firmware & hardware
MT6895
Mobile applications / Mobile firmware & hardware
MT6983
Mobile applications / Mobile firmware & hardware
MT8791
Mobile applications / Mobile firmware & hardware

Vendor: MediaTek

Description

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in vow. A local user can trigger out-of-bounds write and execute arbitrary code on the target system with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MT6853: All versions

MT6855: All versions

MT6873: All versions

MT6877: All versions

MT6883: All versions

MT6885: All versions

MT6893: All versions

MT6895: All versions

MT6983: All versions

MT8791: All versions

MT8797: All versions

CPE

External links
http://corp.mediatek.com/product-security-bulletin/September-2022

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in MediaTek Chipsets