CVE-2024-20094
Published: 07 October 2024
Summary
CVE-2024-20094 is a high-severity Reachable Assertion (CWE-617) vulnerability in Mediatek Nr15. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
In Modem software, a missing bounds check can trigger a system crash, as described under CVE-2024-20094. The flaw is tracked with Patch ID MOLY00843282 and Issue ID MSV-1535, carries a CVSS 3.1 base score of 7.5, and is associated with CWE-617. It affects MediaTek modem implementations and was disclosed on 7 October 2024.
An unauthenticated network attacker can send crafted input to the modem over the network, causing a denial-of-service condition that crashes the system. No additional execution privileges or user interaction are required for successful exploitation.
MediaTek’s October 2024 product security bulletin lists the issue and directs customers to apply the referenced patch for remediation. The EPSS score remains flat at 0.0641 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-17809
Vulnerability details
In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00843282; Issue ID:…
more
MSV-1535.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.