How is CVE-2026-20452 exploited?

Network reachability (info): The attacker must be on the same adjacent network segment (local LAN, wireless BSS, or VPN) as the target; remote over-the-internet exploitation is not possible with this attack vector. Authentication (required): A low-privilege user account on the target system or network context is required; unauthenticated exploitation is not possible. Victim interaction (not-required): No action from a victim user is needed; the attacker can trigger the heap overflow without any social-engineering step. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

What is the impact of CVE-2026-20452?

Reads protected memory regions, exposing credentials, session state, or other sensitive data held by the driver. Writes arbitrary data into heap memory, allowing the attacker to overwrite function pointers or control structures and achieve code execution. Crashes or destabilizes the WLAN AP driver process, taking down wireless connectivity for all clients associated with the affected access point. With code execution at driver privilege level, an attacker can persist malicious code or pivot to other network-adjacent systems.

Back to search

HIGHCVE-2026-20452Published 2026-06-01Modified 2026-06-02CNA MediaTek

CVE-2026-20452: In wlan AP driver, there is a possible memory corruption due to a heap buffer overflow

In wlan AP driver, there is a possible memory corruption due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00480138; Issue ID: MSV-6295.

CVSS v3.1: 8.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a heap buffer overflow in the MediaTek WLAN AP driver affecting chipsets MT6890, MT7615, MT7915, and MT7916. An attacker on the same local network or adjacent wireless segment who holds a low-privilege user account can send a crafted request that corrupts heap memory, requiring no victim interaction. Successful exploitation gives the attacker full code execution on the affected device with arbitrary read, write, and availability impact. No fix version has been published; HarborGuard tracks the MediaTek advisory for patch availability and will surface a patched rebuild the moment one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-20452 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle MediaTek WLAN driver components.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.0 (HIGH) and weighting it against each customer environment's compliance policy to surface it at the appropriate severity tier; routing to the relevant team inbox within each customer organization is handled automatically based on policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the MediaTek advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as an upstream patch ID resolves to a shippable artifact.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network segment (local LAN, wireless BSS, or VPN) as the target; remote over-the-internet exploitation is not possible with this attack vector.
AuthenticationRequired
A low-privilege user account on the target system or network context is required; unauthenticated exploitation is not possible.
Victim interactionNot required
No action from a victim user is needed; the attacker can trigger the heap overflow without any social-engineering step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

Blast Radius

Reads protected memory regions, exposing credentials, session state, or other sensitive data held by the driver.
Writes arbitrary data into heap memory, allowing the attacker to overwrite function pointers or control structures and achieve code execution.
Crashes or destabilizes the WLAN AP driver process, taking down wireless connectivity for all clients associated with the affected access point.
With code execution at driver privilege level, an attacker can persist malicious code or pivot to other network-adjacent systems.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-20452 is active across customer registries and pipelines with no configuration required, covering any image that includes affected MediaTek WLAN driver components. Because MediaTek has not yet published a fix version, HarborGuard monitors the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as a patch is released. In the interim, compensating controls worth considering include network-policy rules that restrict adjacency to the affected chipset's management interface, egress filtering on wireless segments hosting MT6890, MT7615, MT7915, or MT7916 hardware, and disabling AP-mode features that are not operationally required. For customers with auto-remediation enabled, the full rebuild, regression-test run, and PR-opening flow will trigger without manual action the moment an upstream fix is published.

See how HarborGuard automates this

Affected packages

MediaTek, Inc. / MediaTek chipset
MT6890 · MT7615 · MT7915 · MT7916 · MT7981 · MT7986

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

corp.mediatek.com

Metrics

Get notified