CVE-2024-20146
Published: 06 January 2025
Description
In wlan STA driver, there is a possible out of bounds write due to improper input validation. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00389496 / ALPS09137491; Issue ID: MSV-1835.
Security Summary
CVE-2024-20146 is an out-of-bounds write vulnerability in the WLAN STA driver stemming from improper input validation. It affects MediaTek's WLAN STA driver components, as detailed in the vendor's product security bulletin. The issue, tracked internally as MSV-1835 with patch IDs WCNCR00389496 and ALPS09137491, carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-787 (Out-of-bounds Write). The vulnerability was published on January 6, 2025.
An attacker within adjacent physical proximity, such as on the same network segment, can exploit this flaw remotely with low complexity and no required privileges or user interaction. Successful exploitation enables proximal or adjacent code execution, potentially compromising system integrity and availability without impacting confidentiality.
MediaTek's January 2025 Product Security Bulletin provides details on the vulnerability and recommends applying the specified patches (WCNCR00389496 / ALPS09137491) to mitigate the risk. Security practitioners should verify affected devices and ensure firmware updates are deployed promptly.
Details
- CWE(s)