An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

## Vulnerability Details

“`
inet_msg_unpack_uri_with_len: … if (strcasecmp(proto, “http”)) … *pbVar1 = bVar6; proto_len = 6; proto = after_proto + 1; *after_proto = ”; after_proto = after_proto + 2; *proto = ”;
“`

Some bytes are overwritten after the stored scheme, which triggers a heap overflow, if the stored string is too short.

Note that “https” (instead of `http`) has a very similar, but different code path. Bug is also triggered with “rtsp”.

## Example payload

“`
0 http
“`

variants (not all combinations included):

“`
0 https
“`

“`
0 rtsp
“`

“`
0 b:http
“`

“`
0 b:https
“`

“`
Record-Route: