Logic Error in Preloader Exposes Device Identifiers in MediaTek Products
CVE-2026-20435

4.6MEDIUM

Key Information:

Vendor

MediaTek
Status
Mt2737, Mt6739, Mt6761, Mt6765, Mt6768, Mt6781, Mt6789, Mt6813, Mt6833, Mt6853, Mt6855, Mt6877, Mt6878, Mt6879, Mt6880, Mt6885, Mt6886, Mt6890, Mt6893, Mt6895, Mt6897, Mt6983, Mt6985, Mt6989, Mt6990, Mt6993, Mt8169, Mt8186, Mt8188, Mt8370, Mt8390, Mt8676, Mt8678, Mt8696, Mt8793
Vendor
CVE Published:
2 March 2026

What is CVE-2026-20435?

A security flaw has been identified in the preloader of MediaTek products, which allows for the unintended disclosure of unique device identifiers due to a logic error. This vulnerability could potentially be exploited if an attacker gains physical access to the device, without needing any elevated execution privileges. The flaw does not require user interaction for exploitation, highlighting the critical need for physical security measures. A patch has been issued to remediate this issue, ensuring enhanced protection against local information disclosure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MT2737, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6813, MT6833, MT6853, MT6855, MT6877, MT6878, MT6879, MT6880, MT6885, MT6886, MT6890, MT6893, MT6895, MT6897, MT6983, MT6985, MT6989, MT6990, MT6993, MT8169, MT8186, MT8188, MT8370, MT8390, MT8676, MT8678, MT8696, MT8793 Android 14.0, 15.0, 16.0 / openWRT 21.02, 23.05 / Yocto 4.0 / RDK-B 22Q3, 24Q1 / Zephyr 3.7.0

References

https://corp.mediatek.com/product-security-bulletin/March...

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.