#VU65029 Out-of-bounds write in MediaTek products - CVE-2022-21744

Vulnerability identifier: #VU65029

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-21744

CWE-ID: CWE-787

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MT2731
Mobile applications / Mobile firmware & hardware
MT2735
Mobile applications / Mobile firmware & hardware
MT6297
Mobile applications / Mobile firmware & hardware
MT6725
Mobile applications / Mobile firmware & hardware
MT6735
Mobile applications / Mobile firmware & hardware
MT6737
Mobile applications / Mobile firmware & hardware
MT6739
Mobile applications / Mobile firmware & hardware
MT6750
Mobile applications / Mobile firmware & hardware
MT6750S
Mobile applications / Mobile firmware & hardware
MT6755
Mobile applications / Mobile firmware & hardware
MT6757
Mobile applications / Mobile firmware & hardware
MT6757P
Mobile applications / Mobile firmware & hardware
MT6758
Mobile applications / Mobile firmware & hardware
MT6761
Mobile applications / Mobile firmware & hardware
MT6762
Mobile applications / Mobile firmware & hardware
MT6762D
Mobile applications / Mobile firmware & hardware
MT6762M
Mobile applications / Mobile firmware & hardware
MT6763
Mobile applications / Mobile firmware & hardware
MT6765
Mobile applications / Mobile firmware & hardware
MT6765T
Mobile applications / Mobile firmware & hardware
MT6767
Mobile applications / Mobile firmware & hardware
MT6768
Mobile applications / Mobile firmware & hardware
MT6769
Mobile applications / Mobile firmware & hardware
MT6769T
Mobile applications / Mobile firmware & hardware
MT6769Z
Mobile applications / Mobile firmware & hardware
MT6771
Mobile applications / Mobile firmware & hardware
MT6775
Mobile applications / Mobile firmware & hardware
MT6783
Mobile applications / Mobile firmware & hardware
MT6785T
Mobile applications / Mobile firmware & hardware
MT6789
Mobile applications / Mobile firmware & hardware
MT6797
Mobile applications / Mobile firmware & hardware
MT6799
Mobile applications / Mobile firmware & hardware
MT6833
Mobile applications / Mobile firmware & hardware
MT6855
Mobile applications / Mobile firmware & hardware
MT6879
Mobile applications / Mobile firmware & hardware
MT6880
Mobile applications / Mobile firmware & hardware
MT6890
Mobile applications / Mobile firmware & hardware
MT6895
Mobile applications / Mobile firmware & hardware
MT6983
Mobile applications / Mobile firmware & hardware
MT8666
Mobile applications / Mobile firmware & hardware
MT8667
Mobile applications / Mobile firmware & hardware
MT8675
Mobile applications / Mobile firmware & hardware
MT8735A
Mobile applications / Mobile firmware & hardware
MT8735B
Mobile applications / Mobile firmware & hardware
MT8765
Mobile applications / Mobile firmware & hardware
MT8766
Mobile applications / Mobile firmware & hardware
MT8768
Mobile applications / Mobile firmware & hardware
MT8771
Mobile applications / Mobile firmware & hardware
MT8781
Mobile applications / Mobile firmware & hardware
MT8786
Mobile applications / Mobile firmware & hardware
MT8788
Mobile applications / Mobile firmware & hardware
MT8789
Mobile applications / Mobile firmware & hardware
MT8791
Mobile applications / Mobile firmware & hardware
MT6779
Hardware solutions / Firmware
MT6781
Hardware solutions / Firmware
MT6785
Hardware solutions / Firmware
MT6853
Hardware solutions / Firmware
MT6873
Hardware solutions / Firmware
MT6875
Hardware solutions / Firmware
MT6877
Hardware solutions / Firmware
MT6883
Hardware solutions / Firmware
MT6885
Hardware solutions / Firmware
MT6889
Hardware solutions / Firmware
MT6891
Hardware solutions / Firmware
MT6893
Hardware solutions / Firmware
MT8797
Hardware solutions / Firmware

Vendor: MediaTek

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in Modem 2G RR when decoding GPRS Packet Neighbour Cell Data (PNCD). A remote attacker can send specially crafted packets to the device, trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MT2731: All versions

MT2735: All versions

MT6297: All versions

MT6725: All versions

MT6735: All versions

MT6737: All versions

MT6739: All versions

MT6750: All versions

MT6750S: All versions

MT6755: All versions

MT6757: All versions

MT6757P: All versions

MT6758: All versions

MT6761: All versions

MT6762: All versions

MT6762D: All versions

MT6762M: All versions

MT6763: All versions

MT6765: All versions

MT6765T: All versions

MT6767: All versions

MT6768: All versions

MT6769: All versions

MT6769T: All versions

MT6769Z: All versions

MT6771: All versions

MT6775: All versions

MT6779: All versions

MT6781: All versions

MT6783: All versions

MT6785: All versions

MT6785T: All versions

MT6789: All versions

MT6797: All versions

MT6799: All versions

MT6833: All versions

MT6853: All versions

MT6855: All versions

MT6873: All versions

MT6875: All versions

MT6877: All versions

MT6879: All versions

MT6880: All versions

MT6883: All versions

MT6885: All versions

MT6889: All versions

MT6890: All versions

MT6891: All versions

MT6893: All versions

MT6895: All versions

MT6983: All versions

MT8666: All versions

MT8667: All versions

MT8675: All versions

MT8735A: All versions

MT8735B: All versions

MT8765: All versions

MT8766: All versions

MT8768: All versions

MT8771: All versions

MT8781: All versions

MT8786: All versions

MT8788: All versions

MT8789: All versions

MT8791: All versions

MT8797: All versions

---

External links
https://corp.mediatek.com/product-security-bulletin/July-2022

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.