July 2025 Product Security Bulletin

Published 2025-07-08
The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT, Computer Vision, Audio, and TV chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).


Summary

Severity CVEs
High CVE-2025-20680, CVE-2025-20681, CVE-2025-20682, CVE-2025-20683, CVE-2025-20684, CVE-2025-20685, CVE-2025-20686
Medium CVE-2025-20687, CVE-2025-20688, CVE-2025-20689, CVE-2025-20690, CVE-2025-20691, CVE-2025-20692, CVE-2025-20693, CVE-2025-20694, CVE-2025-20695


Details

CVE CVE-2025-20680
Title Heap overflow in Bluetooth
Severity High
Vulnerability Type EoP
CWE CWE-122 Heap Overflow
Description In Bluetooth driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT7902, MT7920, MT7921, MT7922, MT7925, MT7927
Affected Software Versions NB SDK release 3.6 and before
Report Source External

CVE CVE-2025-20681
Title Out-of-bounds write in wlan
Severity High
Vulnerability Type EoP
CWE CWE-787 Out-of-bounds Write
Description In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6890, MT7615, MT7622, MT7663, MT7915
Affected Software Versions SDK release 5.1.0.0 and before / openWRT 19.07, 21.02
Report Source External

CVE CVE-2025-20682
Title Out-of-bounds write in wlan
Severity High
Vulnerability Type EoP
CWE CWE-787 Out-of-bounds Write
Description In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986
Affected Software Versions SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
Report Source External

CVE CVE-2025-20683
Title Out-of-bounds write in wlan
Severity High
Vulnerability Type EoP
CWE CWE-787 Out-of-bounds Write
Description In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986
Affected Software Versions SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
Report Source External

CVE CVE-2025-20684
Title Out-of-bounds write in wlan
Severity High
Vulnerability Type EoP
CWE CWE-787 Out-of-bounds Write
Description In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT7615, MT7622, MT7663
Affected Software Versions SDK release 5.1.0.0 and before
Report Source External

CVE CVE-2025-20685
Title Heap overflow in wlan
Severity High
Vulnerability Type RCE
CWE CWE-122 Heap Overflow
Description In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6890, MT7915, MT7916, MT7981, MT7986
Affected Software Versions SDK release 7.6.7.2 and before / OpenWrt 19.07, 21.02 (MT6890)
Report Source External

CVE CVE-2025-20686
Title Heap overflow in wlan
Severity High
Vulnerability Type RCE
CWE CWE-122 Heap Overflow
Description In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6890, MT7915, MT7916, MT7981, MT7986
Affected Software Versions SDK release 7.6.7.2 and before / OpenWrt 19.07, 21.02 (MT6890)
Report Source External

CVE CVE-2025-20687
Title Out-of-bounds read in Bluetooth
Severity Medium
Vulnerability Type DoS
CWE CWE-125 Out-of-bounds Read
Description In Bluetooth driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT7902, MT7920, MT7921, MT7922, MT7925, MT7927
Affected Software Versions NB SDK release 3.6 and before
Report Source External

CVE CVE-2025-20688
Title Out-of-bounds read in wlan
Severity Medium
Vulnerability Type ID
CWE CWE-125 Out-of-bounds Read
Description In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986
Affected Software Versions SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
Report Source External

CVE CVE-2025-20689
Title Out-of-bounds read in wlan
Severity Medium
Vulnerability Type ID
CWE CWE-125 Out-of-bounds Read
Description In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986
Affected Software Versions SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
Report Source External

CVE CVE-2025-20690
Title Out-of-bounds read in wlan
Severity Medium
Vulnerability Type ID
CWE CWE-125 Out-of-bounds Read
Description In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986
Affected Software Versions SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
Report Source External

CVE CVE-2025-20691
Title Out-of-bounds read in wlan
Severity Medium
Vulnerability Type ID
CWE CWE-125 Out-of-bounds Read
Description In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986
Affected Software Versions SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
Report Source External

CVE CVE-2025-20692
Title Out-of-bounds read in wlan
Severity Medium
Vulnerability Type ID
CWE CWE-125 Out-of-bounds Read
Description In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986
Affected Software Versions SDK release 7.6.7.2 and before / openWRT 19.07, 21.02
Report Source External

CVE CVE-2025-20693
Title Out-of-bounds read in wlan
Severity Medium
Vulnerability Type ID
CWE CWE-125 Out-of-bounds Read
Description In wlan STA driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT2737, MT6835, MT6878, MT6886, MT6897, MT6899, MT6985, MT6989, MT6990, MT6991, MT7902, MT7920, MT7921, MT7922, MT7923, MT7925, MT7927, MT7932, MT8196, MT8678, MT8796, MT8893
Affected Software Versions Android 13.0, 14.0, 15.0 / SDK release 3.7 and before / openWRT 21.02, 23.05 / Yocto 4.0
Report Source External

CVE CVE-2025-20694
Title Buffer underflow in Bluetooth
Severity Medium
Vulnerability Type DoS
CWE CWE-124 Buffer Underflow
Description In Bluetooth FW, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT2718, MT6639, MT6653, MT6985, MT6989, MT6990, MT6991, MT7925, MT7927, MT8113, MT8115, MT8127, MT8163, MT8168, MT8169, MT8173, MT8183, MT8186, MT8188, MT8195, MT8196, MT8370, MT8390, MT8391, MT8395, MT8512, MT8516, MT8519, MT8676, MT8678, MT8695, MT8696, MT8698, MT8786, MT8792, MT8796, MT8893
Affected Software Versions Android 13.0, 14.0, 15.0 / SDK release 3.7 and before / openWRT 21.02, 23.05
Report Source External

CVE CVE-2025-20695
Title Buffer underflow in Bluetooth
Severity Medium
Vulnerability Type DoS
CWE CWE-124 Buffer Underflow
Description In Bluetooth FW, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Affected Chipsets MT6639, MT6653, MT6985, MT6989, MT6990, MT6991, MT7925, MT7927, MT8196, MT8678, MT8796
Affected Software Versions Android 13.0, 14.0, 15.0 / SDK release 3.7 and before / openWRT 21.02, 23.05
Report Source External


Vulnerability Type Definition

Abbreviation Definition
RCE Remote Code Execution
EoP Elevation of Privilege
ID Information Disclosure
DoS Denial of Service
N/A Classification not available


Versions

Version Date Description
1.0 July 8, 2025 Bulletin published.


Notes

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.