CVE-2024-20150

High

Published: 06 January 2025

Published

06 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0736 91.7th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01412526; Issue ID: MSV-2018.

Security Summary

CVE-2024-20150 is a logic error vulnerability in the Modem component of MediaTek products, which can cause a system crash. Published on January 6, 2025, it is tracked with Patch ID MOLY01412526 and Issue ID MSV-2018, and is associated with CWE-502 (Deserialization of Untrusted Data). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.

Remote attackers can exploit this vulnerability without authentication or user interaction, requiring only network access and low complexity. Successful exploitation leads to a denial of service via system crash, with no additional execution privileges needed.

MediaTek's January 2025 Product Security Bulletin at https://corp.mediatek.com/product-security-bulletin/January-2025 provides details on the issue, including the associated patch MOLY01412526 for mitigation. Security practitioners should apply the relevant firmware updates to affected devices.

Details

CWE(s): CWE-502

Affected Products

mediatek

lr12a

all versions

mediatek

lr13

all versions

mediatek

nr15

all versions

mediatek

nr16

all versions

mediatek

nr17

all versions

References

https://corp.mediatek.com/product-security-bulletin/January-2025
Vendor Advisory · security@mediatek.com