MediaTek: Four CVEs Disclosed — Three GenieZone TEE Bugs and a WLAN Driver Overflow
MediaTek disclosed four vulnerabilities on June 1, 2026 — three out-of-bounds write flaws in the GenieZone TEE and a heap buffer overflow in the WLAN AP driver — all with patches available.
Key findings
- Three out-of-bounds write bugs in MediaTek's GenieZone TEE, two from missing bounds checks and one from a race condition
- One heap buffer overflow in the WLAN AP driver enabling proximal remote code execution
- All GenieZone bugs require System privilege already obtained; the WLAN bug requires User privilege
- Patches identified by IDs ALPS10873936, ALPS10886526, and WCNCR00480138
- No active exploitation reported at disclosure time, but TEE bugs threaten device root of trust
MediaTek disclosed four vulnerabilities on June 1, 2026, three of which affect the GenieZone trusted execution environment (TEE) and one that hits the WLAN access-point driver. The GenieZone bugs are all local privilege-escalation flaws that require the attacker to already hold System privilege, while the WLAN driver bug is a heap buffer overflow that could enable remote code execution from an adjacent attacker. The batch is notable for the concentration of out-of-bounds write conditions in MediaTek's TEE component, which is used to isolate sensitive operations on many Android and IoT devices.
Three of the four CVEs — CVE-2026-20455, CVE-2026-20454, and CVE-2026-20453 — reside in GenieZone. CVE-2026-20455 and CVE-2026-20453 are both out-of-bounds writes caused by missing bounds checks. CVE-2026-20454 is also an out-of-bounds write, but it is triggered by a race condition rather than a missing check. All three share the same preconditions: an attacker must have already obtained System privilege, and no user interaction is required for exploitation. The first two bugs are addressed by patch ID ALPS10873936; the third by ALPS10886526.
The fourth CVE, CVE-2026-20452, is in the WLAN AP driver and is a heap buffer overflow that could lead to remote (proximal/adjacent) code execution. Unlike the GenieZone bugs, this one requires User execution privileges, meaning the attacker must already have some foothold on the device. The patch ID is WCNCR00480138.
MediaTek has released patches for all four issues. The patch IDs referenced in the advisories — ALPS10873936, ALPS10886526, and WCNCR00480138 — are available through MediaTek's standard security update channels. Device manufacturers (OEMs) that integrate MediaTek chipsets are responsible for incorporating these fixes into their firmware updates. Users should apply updates from their device vendor as soon as they become available.
While none of the CVEs are reported as being exploited in the wild at the time of disclosure, the GenieZone bugs are especially concerning because they target a trusted execution environment — the very layer meant to protect sensitive data such as cryptographic keys and biometrics. A local attacker who already holds System privilege could use these out-of-bounds writes to escalate further within the TEE, potentially compromising the device's root of trust. The WLAN driver bug, meanwhile, expands the attack surface to proximal attackers who can reach the device over Wi-Fi.
For organizations and users relying on MediaTek-powered devices — particularly Android handsets and IoT gateways — this batch underscores the importance of applying OEM security patches promptly. The GenieZone TEE is a high-value target, and the recurrence of out-of-bounds write patterns in the same component suggests that MediaTek's internal code review processes for this module warrant continued scrutiny.