CVE-2024-20149

High

Published: 06 January 2025

Published

06 January 2025

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0136 80.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01231341 / MOLY01263331 / MOLY01233835; Issue ID: MSV-2165.

Security Summary

CVE-2024-20149 is a vulnerability in the Modem component stemming from improper input validation (CWE-1284), which can trigger a system crash. It affects MediaTek products, as detailed in their product security bulletin.

The vulnerability enables a remote denial-of-service attack, exploitable by any unauthenticated attacker over the network with low attack complexity and no user interaction required. Successful exploitation results in high-impact availability disruption (A:H) without affecting confidentiality or integrity, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

MediaTek advisories recommend applying patches MOLY01231341, MOLY01263331, or MOLY01233835 to mitigate the issue (tracked as MSV-2165). Full details are available in the January 2025 product security bulletin at https://corp.mediatek.com/product-security-bulletin/January-2025.

Details

CWE(s): CWE-1284

Affected Products

mediatek

lr12

all versions

mediatek

lr13

all versions

mediatek

nr15

all versions

mediatek

nr16

all versions

mediatek

nr17.r1

all versions

mediatek

nr17.r2

all versions

References

https://corp.mediatek.com/product-security-bulletin/January-2025
Vendor Advisory · security@mediatek.com