DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20408: Airborne Toxic Event: The MediaTek WLAN Heap Overflow (CVE-2026-20408)

#security #cve #cybersecurity

Airborne Toxic Event: The MediaTek WLAN Heap Overflow (CVE-2026-20408)

Vulnerability ID: CVE-2026-20408
CVSS Score: 8.8
Published: 2026-02-02

CVE-2026-20408 is a critical heap-based buffer overflow in the MediaTek WLAN SDK that allows adjacent attackers to execute arbitrary code with kernel privileges. Affecting a wide range of devices from OpenWrt routers to enterprise Aruba access points, this 'zero-click' vulnerability resides in the handling of wireless management frames. By broadcasting a malformed packet, an attacker can corrupt heap memory, bypass security mechanisms, and gain full control over the device without any user interaction.

TL;DR

A critical zero-click RCE in MediaTek Wi-Fi drivers allows attackers within radio range to compromise devices via malformed packets. Affects OpenWrt, Aruba, and generic MediaTek SDK implementations.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-787 (OOB Write)
  • Attack Vector: Adjacent (AV:A)
  • CVSS Score: 8.8 (High)
  • Privileges: Kernel / Ring 0
  • Impact: RCE / Denial of Service
  • Exploit Status: PoC Expected

Affected Systems

  • MediaTek SDK (Release 7.6.7.2 and prior)
  • OpenWrt (Versions 19.07, 21.02, 23.05)
  • Aruba Networks APs (Specific models with MediaTek chips)
  • Ubiquiti/Other vendors using MT7915/MT7986 chipsets
  • MediaTek SDK: <= 7.6.7.2 (Fixed in: Post-Feb 2026 Release)
  • OpenWrt: 19.07 - 23.05 (Fixed in: Snapshot Feb 2026)

Code Analysis

Commit: WCNCR00

MediaTek Internal Patch ID for Heap Buffer Overflow Fix

N/A (Proprietary/Internal)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update firmware to versions including Patch ID WCNCR00461651
  • Isolate Wi-Fi management interfaces from public access
  • Monitor for kernel panics or repeated Wi-Fi driver crashes

Remediation Steps:

  1. Identify all devices using MediaTek MT79xx/MT76xx chipsets.
  2. For OpenWrt: Run 'opkg update; opkg upgrade mt76-firmware kmod-mt76'.
  3. For Enterprise APs: Apply the February 2026 Vendor Security Patch immediately.
  4. Reboot devices to load the patched kernel modules.

References

Read the full report for CVE-2026-20408 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)