#VU66044 Race condition in MediaTek products - CVE-2022-26428

Vulnerability identifier: #VU66044

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-26428

CWE-ID: CWE-362

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
MT6739
Mobile applications / Mobile firmware & hardware
MT6761
Mobile applications / Mobile firmware & hardware
MT6765
Mobile applications / Mobile firmware & hardware
MT6771
Mobile applications / Mobile firmware & hardware
MT8163
Mobile applications / Mobile firmware & hardware
MT8167
Mobile applications / Mobile firmware & hardware
MT8173
Mobile applications / Mobile firmware & hardware
MT8183
Mobile applications / Mobile firmware & hardware
MT8362A
Mobile applications / Mobile firmware & hardware
MT8385
Mobile applications / Mobile firmware & hardware
MT8695
Mobile applications / Mobile firmware & hardware

Vendor: MediaTek

Description

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a race condition within the video codec. A local application can exploit the race and escalate privileges on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MT6739: All versions

MT6761: All versions

MT6765: All versions

MT6771: All versions

MT8163: All versions

MT8167: All versions

MT8173: All versions

MT8183: All versions

MT8362A: All versions

MT8385: All versions

MT8695: All versions

---

External links
https://corp.mediatek.com/product-security-bulletin/August-2022

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.