CVE-2026-20456: MediaTek WLAN Driver Out-of-Bounds Write DoS
A flaw in MediaTek's wireless LAN driver allows an authenticated local user to crash the system without any user interaction. The vulnerability stems from missing boundary validation in the wlan STA (Station) driver code, permitting an attacker with user-level access to send crafted input that causes an out-of-bounds write. The impact is denial of service—the device becomes unresponsive until rebooted.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-787
- Affected products
- 12 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In wlan STA driver, there is a possible system crash due to a missing bounds check. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00480851; Issue ID: MSV-6338.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-20456 is an out-of-bounds write vulnerability (CWE-787) in the wlan STA driver component of multiple MediaTek wireless chipsets. The driver fails to validate buffer boundaries before writing data, allowing a local unprivileged process to trigger a write beyond allocated memory. This results in kernel memory corruption and system crash. The vulnerability requires local code execution capability but no user interaction, making it exploitable by any process running on the device with user privileges. CVSS 3.1 score is 5.5 (Medium), reflecting local attack vector, low complexity, and high availability impact with no confidentiality or integrity compromise.
Business impact
Organizations deploying devices with affected MediaTek wireless chipsets face potential service disruptions. While the vulnerability does not enable data theft or privilege escalation, repeated exploitation could render wireless connectivity unavailable, impacting user productivity and network reliability. In environments where devices are remotely managed or deployed at scale (enterprise laptops, IoT access points, network appliances), this DoS vector becomes operationally significant. Attackers with local access—including disgruntled employees or malicious applications installed by users—can disrupt wireless service without detection.
Affected systems
The flaw impacts MediaTek MT7902, MT7920, MT7921, MT7922, MT7925, and MT7927 chipsets, including both the firmware and driver components. These are common WLAN modules found in consumer and enterprise laptops, tablets, access points, and embedded networking devices. Devices manufactured before the patch release by OEMs integrating these chipsets are at risk. Check device WLAN module identification (often visible in device manager or via dmidecode on Linux) against the affected chipset list to determine exposure.
Exploitability
Exploitation requires local system access and user-level privileges—the attacker cannot exploit this remotely or from outside the device. However, no special capabilities, elevated privileges, or user interaction are needed once local execution is achieved. The attack surface includes any application or service running with user privileges that can communicate with the wlan driver. Given the ubiquity of malware and the ease of privilege escalation attacks, this vulnerability should be treated as readily exploitable in real-world scenarios where an attacker has already achieved initial access to the device. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but absence from KEV does not indicate low risk in targeted environments.
Remediation
Patch the wlan driver using MediaTek's firmware update corresponding to Patch ID WCNCR00480851. OEMs and device manufacturers will release updated firmware or driver packages—consult your device vendor for availability and deployment timelines. Patch verification should reference the vendor advisory to confirm the specific firmware or driver version incorporates the fix. Until patching is complete, restrict local user access to devices and enforce application whitelisting to reduce the risk of untrusted code execution.
Patch guidance
MediaTek has issued a fix under Patch ID WCNCR00480851. Contact your device manufacturer or visit their support portal for firmware updates that incorporate this patch. Verify the updated firmware version includes this Patch ID before deployment. For enterprise environments, coordinate patch rollout through existing WLAN device management tools (e.g., MDM, WLAN controller management consoles) to minimize downtime. Test the patch in a non-production environment first to ensure compatibility with your device fleet and associated WLAN infrastructure.
Detection guidance
Monitor system logs and kernel crash reports for unexpected wireless driver failures or kernel panics. On Linux systems, check dmesg output for segmentation faults or out-of-bounds write signatures originating from the WLAN driver (typically labeled as mt76xx or similar). On Windows, review Event Viewer for critical driver-related errors (Event ID 1001 in System logs). Collect correlated security logs to identify whether the crashes coincide with suspicious process activity or privilege escalation attempts. Implement driver-level instrumentation or use Host-Based Intrusion Detection Systems (HIDS) to flag anomalous interactions with the WLAN driver interface.
Why prioritize this
While the CVSS score of 5.5 is moderate, prioritization depends on your environment's risk posture. Organizations with strict application control policies and limited local user populations face lower immediate risk. However, enterprises with BYOD programs, shared workstations, or IoT deployments should prioritize patching to prevent availability disruptions. The vulnerability's lack of confidentiality impact makes it lower priority than RCE or privilege escalation flaws, but the simplicity of exploitation (once local access is obtained) and the disruption to wireless connectivity justify inclusion in your Q2/Q3 patch cycle.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects a Medium severity rating based on: (1) local attack vector—attacker must have access to the device, (2) low complexity—no special conditions or technical sophistication required, (3) low privileges—user-level execution is sufficient, (4) no user interaction—the attack is automatic once triggered, and (5) no impact on confidentiality or integrity—only availability is affected. The score appropriately discounts remote attack vectors but fairly captures the operational risk of DoS in a local access scenario. Organizations prioritizing availability over other factors may internally elevate this to High priority.
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. The vulnerability requires local code execution on the affected device. However, if an attacker has already compromised a device via remote means (e.g., malware infection), they can then exploit this flaw locally to trigger a denial of service.
Will patching this vulnerability require device downtime?
Most firmware patches can be deployed without rebooting the device, but verify with your OEM's specific guidance. Some WLAN driver updates may require a reboot or temporary disconnection from wireless networks. Plan updates during maintenance windows to minimize disruption.
Are all devices with a MediaTek WLAN chipset affected?
Only devices using the MT7902, MT7920, MT7921, MT7922, MT7925, or MT7927 chipsets are vulnerable. Check your device's WLAN module specifications to confirm exposure. Other MediaTek chipsets are not listed as affected by this CVE.
What should I do if I cannot patch immediately?
Implement compensating controls: restrict local user access to affected devices, enforce strict application whitelisting, disable unused WLAN features, and monitor for suspicious activity targeting the wireless driver. Prioritize patching in high-risk environments (shared workstations, public kiosks, IoT edge devices).
This analysis is based on publicly available vulnerability data as of the publication date. Patch availability and timelines vary by OEM; verify specific firmware versions against vendor advisories before deployment. This document does not constitute legal or compliance advice. Organizations must conduct their own risk assessments based on their specific hardware configurations, network topology, and regulatory requirements. Exploitation in the wild has not been confirmed; CISA has not listed this CVE in its Known Exploited Vulnerabilities catalog. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-20453MEDIUMMediaTek geniezone Out-of-Bounds Write Privilege Escalation
- CVE-2026-20455HIGHMediaTek geniezone Out-of-Bounds Write Local Privilege Escalation
- CVE-2025-59614MEDIUMQualcomm Memory Corruption in RNG Command Handling
- CVE-2026-10114MEDIUMOpen5GS Out-of-Bounds Write in NF Profile Parser
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure
- CVE-2021-4478HIGHDräger CC-Vision Buffer Overflow in .gdt File Parsing
- CVE-2025-59605HIGHQualcomm Memory Corruption in Device Identifier Processing
- CVE-2026-10046HIGHBitdefender Napoca Hypervisor Out-of-Bounds Write Vulnerability