Use After Free Vulnerability in MediaTek VCU Components
CVE-2023-20744

6.7MEDIUM

Key Information:

Vendor: MediaTek
Status: MT6789, MT6855, MT8185, MT8195, MT8365, MT8395, MT8781, MT8786, MT8789, MT8791, MT8797
Vendor: CVE Published:; 6 June 2023

Summary

A logic error in MediaTek VCU components allows for a use after free vulnerability, potentially leading to local privilege escalation. This vulnerability does not require user interaction, which means that the system execution privileges could be compromised without any action from the user. It is crucial for users of affected VCU versions to apply the necessary patches to mitigate these risks, as attackers could exploit this weakness to gain elevated privileges.

Affected Version(s)

MT6789, MT6855, MT8185, MT8195, MT8365, MT8395, MT8781, MT8786, MT8789, MT8791, MT8797 Android 12.0, 13.0 / Yocto 4.0 / Iot-Yocto 22.2

References

https://corp.mediatek.com/product-security-bulletin/June-...

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2023
Vulnerability Reserved
Oct 28, 2022