Ddos 
MediaTek has kicked off the new year with a critical security bulletin, releasing patches for a slew of high-severity vulnerabilities affecting dozens of its mobile and IoT chipsets. The January 2026 update addresses multiple dangerous flaws in the company’s modem firmware that could allow attackers to crash devices or potentially execute arbitrary code.
The bulletin, published on January 5, 2026, details patches for issues across a wide array of MediaTek chipsets, including the popular Dimensity series used in high-end smartphones. While the company states it is “not aware of any active exploitation of these vulnerabilities in the wild,” the nature of the bugs—particularly those in the modem—makes this a crucial update for Android OEMs.
The most alarming vulnerabilities in this month’s batch target the Modem component—the hardware responsible for cellular communication. MediaTek identified several “High” severity issues here that could lead to system instability or crashes.
- CVE-2025-20794 is a Stack Overflow vulnerability caused by “improper input validation,” which could lead to a system crash.
- CVE-2025-20793 involves a Null Pointer Dereference, another flaw resulting from “incorrect error handling” that threatens system stability.
- CVE-2025-20762 and CVE-2025-20760 are described as Reachable Assertion errors, where uncaught exceptions or incorrect error handling could trigger crashes or allow the reading of “uninitialized heap data”.
These flaws affect a massive list of chipsets, including the high-performance MT6989 and MT6991.
Beyond the modem, the bulletin highlights a high-severity Out-of-bounds Write in the KeyInstall component (CVE-2025-20795). This flaw, stemming from a “missing bounds check,” could allow malicious actors to overwrite memory in a critical security subsystem.
The affected list for this specific bug is extensive, covering everything from legacy chips like the MT6580 to modern powerhouses like the MT6991.
While the high-severity patches steal the spotlight, the bulk of the update addresses dozens of “Medium” severity issues plaguing various subsystems.
- Display & Graphics: The Display component was riddled with “Use After Free” (e.g., CVE-2025-20779, CVE-2025-20780) and “Double Free” (CVE-2025-20782) vulnerabilities, creating opportunities for memory corruption.
- Battery & Power: The Battery subsystem required patches for both a Stack Overflow (CVE-2025-20797) and an Out-of-bounds Write (CVE-2025-20798).
- Deep Processing Engine (DPE): Multiple “Integer Overflow” and “Use After Free” bugs were squashed in the DPE component (e.g., CVE-2025-20803, CVE-2025-20807).
MediaTek confirmed that “Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication,” giving manufacturers a head start on integrating these fixes into their monthly security updates.
Users with MediaTek-powered devices should look out for the January 2026 security patch level from their device manufacturers to ensure they are protected against these hardware-level threats.
Related Posts:
- MediaTek Chipset Flaws: Out-of-Bounds Write Vulnerabilities Expose Smartphones & IoT Devices
- MediaTek September 2025 Security Bulletin: High-Severity Modem Flaws Could Enable Remote Attacks
- MediaTek’s February 2025 Security Bulletin: Critical WLAN Vulnerabilities Expose Millions to Remote Attacks
- MediaTek’s April 2025 Security Bulletin: Critical WLAN Vulnerability Exposes Chipsets
Donate