An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

## Vulnerability Details

Crash happens due to a NULL access.

“`
void sdp_msg_create_negotiation_sdp(…) { sdp_cpy = sdp_msg_struct_copy(sdp_msg); // [1] if (sdp_cpy == (sdp_message_struct *)0x0) { … return; } media = sdp_cpy->m; if (media != (sdp_media_struct *)0x0) { media_orig_p = sdp_msg->m; // original media while (media_orig_p != (sdp_media_struct *)0x0) { // [2] tcap_p = &media->tcap; if ((operator_id != 0xec) || (iVar4 = strcmp(media_orig_p->transport,”RTP/AVP”), iVar4 != 0)) { sdp_msg_remove_attribute((short *)media->other_attributes,”acfg”,(char *)0x0,0,0); // [4] … } … media = media->next; media_orig_p = media_o_p->next; // [3] } } … sdp_msg_pack_media for(; media != (sdp_media_struct *)0x0; media=media->next) { // [1] if ((media->is_present == KAL_FALSE)) { continue; } if (media->transport[0] == ”) { // [4] continue; } }
“`

The function starts with copying the SDP structure (at `[1]`, `sdp_msg_struct_copy` basically packs and unpacks the SDP message). The target will be returned, but it’s modified in-place.

At `[2]` it can be seen that the loop is until the original structure ends. However, no check is in place for the copied structure _inside the loop_ (there is a check _before_ the loop). This is a problem, because at `[3]` they are iterated in sync, but if a media element is missing from the copy, the original structure ends, and a null pointer is dereferenced at `[4]`.

## Example payload

Change any valid INVITE-flow message SDP contents to contain the following:

“`
m=application 0 0
“`

e.g.:

“`
INVITE sip:192.168.101.2:50033;transport=tcp SIP/2.0 From: ;tag=ttecbsI To: “0010187049”