MSV-4621: Mediatek Baseband Empty Multipart SMS Leading to Denial of Service

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

## Vulnerability Details

Crash happens due to a trap, described below.

The `inet_msg_unpack_body` function has a vulnerability which makes the SIP parsing susceptible for DoS attacks.
The relevant code path can be reached with syntaxically correct SIP messages with `multipart` content type. (see the PoC section for an actual example)

“`
curr_inet_mem_pos = inet_mem->pos; if (content_length != 0 && (app_type != INET_MSG_APP_SIP || is_raw_data != 0)) { if (inet_mem->end <= curr_inet_mem_pos || inet_mem->end – curr_inet_mem_pos < content_length)) goto LAB_exit_with_error_0xc; pos = curr_inet_mem_pos; while (*pos != ‘-‘ || pos[1] != ‘-‘ || memcmp(pos + 2,boundary_str,boundary_str_len) != 0) { pos = pos + 1; } fragment_body_len = (pos – curr_inet_mem_pos) – 2; mem = voip_get_mem(fragment_body_len + 1, “protocol/ims/core/src/sip/inet_msg_unpack.c”, 0xc25);
“`

In the `fragment_body_len = (pos – curr_inet_mem_pos) – 2`; assignment the -2 is accounted for the trailing `rn` character sequence after the body. However when there is no body, the `pos – curr_inet_mem_pos` would become zero, thus `fragment_body_len = -2`. This leads to a minus one allocation size in the `voip_get_mem(fragment_body_len + 1)` function call.

`voip_get_mem` is a wrapper for `__kal_adm_alloc`, in which returns a NULL pointer for non-positive allocation sizes. The crash happens because subsequently `voip_get_mem` checks the returned pointer and traps on NULL values:

“`
voip_get_mem+64: 90b0c2b2 12 10 break 0x2
“`

## Example payload

“`
a Content-Type: multipart/mixed;boundary=”boundary” –boundary Content-Type: application/vnd.3gpp.sms Content-Length: 1 –boundary–
“`

Note that `a` is the SIP request line.

# Affected Devices

Includes most, possibly all, of the following devices:

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

# Timeline

– 2025.06.23. Bug reported to Mediatek PSIRT
– 2025.07.23. Mediatek confirms vulnerability, does not assign CVE due to low severity
– 2025.10.01. Advisory release

Recent posts