Cyber Posture

CVE-2024-20149

High

Published: 06 January 2025

Published
06 January 2025
Modified
12 January 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0136 80.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20149 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Mediatek Lr12. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the Modem flaw via patches MOLY01231341, MOLY01263331, or MOLY01233835 to eliminate the improper input validation vulnerability.

SI-10 Information Input Validation good match
prevent

Directly mandates information input validation mechanisms at entry points like the Modem to prevent system crashes from improper input handling.

SC-5 Denial-of-service Protection good match
prevent

Provides protection against or limits the effects of remote denial-of-service events exploiting the unvalidated network inputs in the Modem component.

NVD Description

In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01231341 / MOLY01263331 /…

more

MOLY01233835; Issue ID: MSV-2165.

Deeper analysisAI

CVE-2024-20149 is a vulnerability in the Modem component stemming from improper input validation (CWE-1284), which can trigger a system crash. It affects MediaTek products, as detailed in their product security bulletin.

The vulnerability enables a remote denial-of-service attack, exploitable by any unauthenticated attacker over the network with low attack complexity and no user interaction required. Successful exploitation results in high-impact availability disruption (A:H) without affecting confidentiality or integrity, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

MediaTek advisories recommend applying patches MOLY01231341, MOLY01263331, or MOLY01233835 to mitigate the issue (tracked as MSV-2165). Full details are available in the January 2025 product security bulletin at https://corp.mediatek.com/product-security-bulletin/January-2025.

Details

CWE(s)
CWE-1284

Affected Products

mediatek
lr12
all versions
mediatek
lr13
all versions
mediatek
nr15
all versions
mediatek
nr16
all versions
mediatek
nr17.r1
all versions
mediatek
nr17.r2
all versions

CVEs Like This One

CVE-2024-20150Same product: Mediatek Lr13
CVE-2026-20434Same product: Mediatek Lr13
CVE-2025-20727Same product: Mediatek Mt2735
CVE-2024-20154Same product: Mediatek Lr13
CVE-2025-20708Same product: Mediatek Mt2735
CVE-2025-20634Same product: Mediatek Mt2737
CVE-2026-20433Same product: Mediatek Mt2735
CVE-2026-20432Same product: Mediatek Mt2735
CVE-2026-20401Same product: Mediatek Mt2735
CVE-2025-20646Same product: Mediatek Mt6890

References