CVE-2025-20641

Medium

Published: 03 February 2025

Published

03 February 2025

Modified

04 February 2025

KEV Added

—

Patch

—

CVSS Score 6.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09291146; Issue ID: MSV-2058.

Security Summary

CVE-2025-20641 is an out-of-bounds write vulnerability in DA due to a missing bounds check. It affects MediaTek products, as documented in their product security bulletin.

An attacker with physical access to the device can exploit this vulnerability to achieve local escalation of privilege. No additional execution privileges are required, though user interaction is needed for exploitation. The vulnerability has a CVSS v3.1 base score of 6.6 (AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-787.

MediaTek has issued patch ALPS09291146 to address this issue (MSV-2058). For mitigation details, affected versions, and patching instructions, refer to the February 2025 product security bulletin at https://corp.mediatek.com/product-security-bulletin/February-2025.

Details

CWE(s): CWE-787

Affected Products

google

android

12.0, 13.0, 14.0, 15.0

References

https://corp.mediatek.com/product-security-bulletin/February-2025
Vendor Advisory · security@mediatek.com