An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

## Vulnerability Details

Crash happens due to a NULL access.

`sip_msg_content_type_compatible` assumes a content type with a subcontenttype (e.g. `text/plain`), but `inet_msg_unpack_content_type` accepts a content type without a subcontenttype (e.g. `text`).

“`
bool sip_msg_content_type_compatible(char **accept,char **contentType) { int iVar1; char *pcVar2; char *pcVar3; iVar1 = voip_strcasecmp(accept[0],”*”); pcVar3 = “*”; // If the Accept is in format */something, accept anything, if the Accept is exactly */* if (iVar1 != 0) { // Here we know that main_content_type is specific in the Accept header iVar1 = voip_strcasecmp(contentType[0],”*”); if (iVar1 == 0) { // ??? wildcard in Content-Type is invalid pcVar2 = contentType[1]; pcVar3 = “*”; return voip_strcasecmp(accept[1],pcVar3); } // no wildcards in main content type iVar1 = voip_strcasecmp(*accept,*contentType); if (iVar1 != 0) { // mismatch in main content type return false; } iVar1 = voip_strcasecmp(accept[1],”*”); if ((iVar1 == 0) || (iVar1 = voip_strcasecmp(contentType[1],”*”), iVar1 == 0)) { // wildcard specified either in Accept (or Content-Type???) return true; } pcVar3 = contentType[1]; } pcVar2 = accept[1]; LAB_90ba05dc: iVar1 = voip_strcasecmp(pcVar2,pcVar3); return iVar1 == 0; }
“`

## Example payload

“`
INVITE sip:2 SIP/2.0 Accept: application From: