Cyber Resilience

CVE-2026-20418

Critical

Published: 02 February 2026

Published
02 February 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0033 25.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-20418 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Google Matter. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-20418 is a high-severity vulnerability in the Thread networking component, stemming from a missing bounds check that enables an out-of-bounds write. This flaw, classified under CWE-787, affects Thread implementations, as detailed in MediaTek's product security resources, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It carries Patch ID WCNCR00465153 and Issue ID MSV-4927.

A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation could result in escalation of privilege, potentially granting unauthorized access to sensitive data (confidentiality), system modification (integrity), and service disruption (availability).

MediaTek's February 2026 Product Security Bulletin at https://corp.mediatek.com/product-security-bulletin/February-2026 provides details on the patch (WCNCR00465153), recommending affected users apply it promptly to mitigate the risk of remote code execution or privilege escalation in Thread-enabled devices.

EU & UK References

Vulnerability details

In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153;…

more

Issue ID: MSV-4927.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Remote unauthenticated OOB write in Thread networking component directly enables RCE via public-facing network service exploitation (T1190) and leads to privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20641Same vendor: Google
CVE-2026-20412Same vendor: Google
CVE-2025-20778Same vendor: Google
CVE-2026-20409Same vendor: Google
CVE-2025-20798Same vendor: Google
CVE-2025-20795Same vendor: Google
CVE-2025-20800Same vendor: Google
CVE-2025-20645Same vendor: Google
CVE-2026-20416Same vendor: Google
CVE-2026-0113Same vendor: Google

Affected Assets

google
matter
≤ 1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing bounds check by requiring validation of information inputs to prevent out-of-bounds writes in the Thread networking component.

prevent

Implements memory protection mechanisms such as address space layout randomization and data execution prevention to block exploitation of the out-of-bounds write vulnerability.

prevent

Mandates timely flaw remediation including installation of the specific vendor patch WCNCR00465153 to fix the missing bounds check in Thread.

References