An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is DoS in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

## Vulnerability Details

Crash happens due to a NULL access.

The crash happens in `sdp_msg_create_negotiation_sdp`.

It is caused by a malformed audio attribute for `RTP/AVP` resulting in a NULL pointer access, which crashes the modem.

## Example payload

The following SIP messages were tested:

“`
INVITE sip:1 SIP/2.0 Content-Type: application/sdp From: &