MediaTek Discloses Critical Security Vulnerabilities Affecting 51 Chipsets

MediaTek, a leading fabless semiconductor company, has disclosed a series of security vulnerabilities affecting 51 of its chipsets, including a critical remote code execution (RCE) bug. The vulnerabilities, disclosed on Monday, January 6, 2025, impact chipsets used in smartphones, IoT devices, cars, and Chromebooks. The most severe issue, tracked as CVE-2024-20154, is a stack overflow vulnerability in the modems of affected chipsets, allowing attackers to execute code remotely if a device connects to a malicious base station.

The RCE vulnerability was given a ‘critical’ severity rating by MediaTek, though the company did not provide a specific Common Vulnerability Scoring System (CVSS) score. A successful exploit requires no additional privileges or user interaction, making it particularly dangerous. MediaTek stated that device manufacturers were notified of the vulnerabilities and provided patches at least two months prior to the public disclosure, ensuring that most affected devices should already be secured.

In addition to the critical RCE bug, MediaTek disclosed seven high-severity vulnerabilities, including other RCE and privilege escalation issues, and five medium-severity vulnerabilities leading to denial of service and information disclosure. The affected chipsets span a wide range of applications, underscoring MediaTek’s significant presence in mobile, IoT, and automotive markets.

MediaTek’s chips are also used in Chromebooks, and the company is reportedly preparing to enter the PC chip market with Arm-based designs expected in 2025. This move aligns with the expiration of Qualcomm‘s exclusive Windows on Arm deal in 2024, opening the door for competitors like MediaTek, Nvidia, and AMD to expand into the AI-ready chip market.

MediaTek’s recent product diversification includes its Genio platform, launched in 2022, targeting the AIoT (Artificial Intelligence of Things) market. The company has also introduced the Dimensity 8400 chip for premium smartphones, featuring advanced AI capabilities and improved performance. Despite these advancements, the disclosure of critical vulnerabilities highlights the ongoing challenges in securing increasingly complex semiconductor technologies.

The Register reached out to MediaTek for comment but did not receive an immediate response. As the tech industry continues to grapple with cybersecurity threats, the timely disclosure and patching of vulnerabilities remain critical to protecting users and devices worldwide.