In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00416938; Issue ID: MSV-3444.
The error consists of an incorrect bounds check during data writing in the WLAN AP driver, which leads to writing data outside the designated memory area (CWE-787: out of bounds write). The vulnerability can be exploited by a local user with user-level privileges (User execution privileges), without requiring any interaction from the victim.
An attacker can obtain local privilege escalation, potentially taking control of the device at the system level. Due to the critical CVSS score (9.8), the consequences include complete violation of system confidentiality, integrity, and availability.
Security patches available from the manufacturer should be applied according to the references (Patch ID: WCNCR00416938; Issue ID: MSV-3444). Detailed information about patched versions is available in the MediaTek security bulletin from July 2025: https://corp.mediatek.com/product-security-bulletin/July-2025
MediaTek chipsets: MT7915, MT7916, MT7615, MT7981 and OpenWrt software. Detailed software versions are indicated in the manufacturer's references.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMediatek Mt6890
HWMediatekwszystkie wersjeMediatek Mt7615
HWMediatekwszystkie wersjeMediatek Mt7622
HWMediatekwszystkie wersjeMediatek Mt7663
HWMediatekwszystkie wersjeMediatek Mt7915
HWMediatekwszystkie wersjeMediatek Mt7916
HWMediatekwszystkie wersjeMediatek Mt7981
HWMediatekwszystkie wersjeMediatek Mt7986
HWMediatekwszystkie wersjeMediatek Software Development Kit
APPMediatek≤ 7.6.7.2Openwrt
OSOpenwrt19.07.021.02.0
Related vulnerabilities
Stack-based Buffer Overflow w mdns daemon OpenWrt — możliwy RCE
Stack-based Buffer Overflow w demonie mdns OpenWrt — przepełnienie stosu przez PTR query
Out-of-bounds write w sterowniku WLAN AP MediaTek – privilege escalation
Out-of-bounds write w sterowniku WLAN AP MediaTek — privilege escalation
Out-of-bounds write w sterowniku WLAN AP MediaTek — privilege escalation