MediaTek kicked off the first full working week of the new year by disclosing a bevy of security vulnerabilities, including a critical remote code execution bug affecting 51 chipsets.

The fabless semiconductor biz gave the RCE a “critical” severity assessment but didn’t provide a specific rating after running it through the CVSS frameworks, so it could be anywhere between nine and ten.

Tracked as CVE-2024-20154, it’s a stack overflow issue in affected chipsets’ modems, one that leads to RCE if an affected device connects to an attacker-controlled base station. A successful attack doesn’t require the attacker to acquire any additional privileges, nor does it depend on user interaction.

The list of affected chipsets is long and includes ones for use in cars, smartphones, IoT devices, and Chromebooks. 

The number of software versions is much smaller, however:

• Modem LR12A

• Modem LR13

• Modem NR15

• Modem NR16.R1.MP

• Modem NR16.R1.MP1MP2.MP

• Modem NR16.R2.MP

MediaTek said device manufacturers were all told about the issues and accompanying patches at least two months prior to today’s disclosure, so all the vulnerabilities in the vendor’s advisory should be fixed by now.

Of those vulnerabilities, seven were assessed to be “high” severity and five were given “medium” status.

The high-severity bugs included a mix of RCE and elevation of privilege issues, all affecting multiple chipsets, while the medium-severity vulnerabilities led to denial of service and information disclosure.

MediaTek’s reported expansion

As the list of chipsets affected by CVE-2024-20154 affirms, MediaTek’s chips aren’t just used in mobile and IoT devices – markets in which the Taiwanese company among the leaders – but in Chromebooks too.

MediaTek is also reportedly working on entering the PC chip market, insiders told Reuters last year, with its first Arm designed units expected at sometime in 2025, although the vendor hasn’t confirmed anything publicly.

Recent product diversification efforts have seen MediaTek’s chips target the AIoT market. Its Genio platform, launched in 2022, is one example of this. But with Qualcomm’s exclusive Windows on Arm deal, established in 2016, expiring in 2024 – as confirmed by Arm CEO Rene Haas almost a year ago to the day – other vendors like MediaTek, Nvidia, and AMD are poised to get in on the act with their own AI-ready chips.

The Register approached MediaTek for a response to these reports, but it didn’t immediately respond. ®