CVE-2023-20696

MEDIUM

Android - Out-of-bounds Write in Preloader

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-20696. PoCs published by kasnria001.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2023-20696, targeting MTK (Mediatek) bootloader image parsing vulnerabilities. The scripts manipulate MTK CERT2 hashes and part_hdr_t structures to bypass signature validation, enabling arbitrary code execution during boot.

Description

In preloader, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07856356 / ALPS07874388 (For MT6880 and MT6890 only); Issue ID: ALPS07856356 / ALPS07874388 (For MT6880 and MT6890 only).

Exploits (1)

nomisec WORKING POC 1 stars
by kasnria001 · poc
https://github.com/kasnria001/pwnage24mtk

This repository contains functional exploit code for CVE-2023-20696, targeting MTK (Mediatek) bootloader image parsing vulnerabilities. The scripts manipulate MTK CERT2 hashes and part_hdr_t structures to bypass signature validation, enabling arbitrary code execution during boot.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mediatek bootloader (MTK)
No auth needed
Prerequisites: Access to MTK device firmware images · Ability to flash modified bootloader images
devstral-2 · analyzed Jun 29, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 6.7
EPSS 0.0009
EPSS Percentile 0.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-787
Status published
Products (3)
google/android 13.0
openwrt/openwrt 19.07.0
openwrt/openwrt 21.02.0
Published May 15, 2023
Tracked Since Feb 18, 2026