Your phone could be taken over by a device sitting in a backpack across the street — and you'd never know it happened.
Who's at Risk — and How Bad Is It?
CVE-2026-20432 is a newly disclosed vulnerability in the modem firmware that ships inside a broad range of mobile devices. The modem is the component in your phone that handles all wireless communication — calls, texts, mobile data. It is, in other words, the part of your device that is always listening for a signal. That makes it a uniquely dangerous attack surface, because it can be reached without you ever opening an app, tapping a link, or doing anything at all.
The flaw carries a CVSS score of 8.0 (HIGH), and while no active exploitation has been confirmed in the wild yet, security teams are treating it as an urgent priority. The affected modem firmware is used across a wide range of Android-based devices globally — potentially covering hundreds of millions of handsets. Everyday users, enterprise employees carrying corporate phones, journalists, activists, and anyone in a high-density public space like an airport, stadium, or city center face elevated exposure.
What an Attacker Can Actually Do to You
Picture someone sitting in a parked car outside a coffee shop. In their bag is a cheap, portable piece of radio hardware — the kind you can order online for a few hundred dollars — configured to impersonate a legitimate cell tower. Your phone, always hunting for the strongest available signal, connects to it automatically. You still have bars. Your coffee is still hot. You have no idea anything has changed.
At that moment, the attacker sends your phone's modem a specially crafted signal — malformed data that the modem's software was never programmed to handle safely. Because the software fails to check whether incoming data fits within the memory space it has been allocated, the attacker can write their own code into regions of memory they were never supposed to touch. This technique, called an out-of-bounds write, is one of the most powerful weapons in a hacker's toolkit. It allows them to overwrite security controls, plant malicious instructions, and ultimately seize elevated control over the modem itself.
Once the modem is compromised, the attacker has a foothold in a component that sits beneath your phone's operating system — below Android, below your apps, below virtually every security layer you rely on. From there, the potential for further damage is significant: intercepting calls and messages, tracking location in real time, or pivoting deeper into the device. And critically, you never clicked anything. You never downloaded anything. Your phone simply looked for a signal, the way it does thousands of times a day.
The Technical Anchor: Missing Bounds Check in Modem Baseband
For the researchers and security engineers in the room: the vulnerability is classified as an out-of-bounds write (CWE-787) residing in MediaTek modem baseband firmware, patch ID MOLY01406170 (Issue ID: MSV-4461). The attack vector is Adjacent Network — meaning the attacker must be within radio range, not operating remotely over the internet — which is why the CVSS score lands at 8.0 rather than the maximum 10.0. Exploitation requires the user equipment (UE) to successfully register with the rogue base station, which introduces a practical but not prohibitive barrier. No elevated privileges are required on the attacker's side to trigger the write primitive.
Who Found It, and Has Anyone Been Attacked?
The vulnerability was disclosed through MediaTek's coordinated security bulletin process. At the time of publication, no confirmed exploitation in the wild has been documented, and no specific threat actor or campaign has been attributed. However, the security community's concern is well-founded: rogue base station attacks — sometimes called "IMSI catcher" or "stingray" attacks — have been used by both nation-state intelligence agencies and sophisticated criminal groups for years. A memory corruption primitive that enables privilege escalation from a rogue base station is precisely the kind of capability those actors seek to develop or acquire. The window between disclosure and weaponization has historically been short for vulnerabilities of this class.
Bottom line: This hasn't been used against people yet — as far as we know. That window will not stay open indefinitely.
What You Should Do Right Now
Whether you're an individual user or an IT administrator managing a fleet of corporate devices, here are three concrete steps to take immediately:
- Update your Android security patch level to the June 2026 patch or later. MediaTek has issued patch MOLY01406170 addressing this flaw. On Android, go to Settings → About Phone → Android Security Update and check your patch date. If you are behind June 2026, update now. Device manufacturers (Samsung, Xiaomi, Oppo, and others using MediaTek chipsets) are responsible for pushing these patches — check your manufacturer's security bulletin for device-specific timelines.
- Enable "LTE Only" or "4G Only" mode when in high-risk environments. Rogue base station attacks are significantly easier to execute on 2G (GSM) networks, which lack mutual authentication. Locking your phone to LTE or 5G reduces — though does not eliminate — your exposure. On most Android devices this is found under Settings → Network & Internet → SIMs → Preferred Network Type. Note: this may affect call quality in some regions.
- Enterprise administrators should prioritize patching MediaTek-powered devices in their mobile device management (MDM) console immediately. Flag any device running a security patch level older than June 2026 as non-compliant and restrict its access to corporate resources until updated. Given the network-adjacent attack vector, employees in public-facing roles, traveling internationally, or working in high-density urban areas should be considered elevated priority.
CVE-2026-20432 | CVSS 8.0 HIGH | Patch ID: MOLY01406170 | Category: Memory Corruption, Privilege Escalation | Exploitation status: No confirmed active exploitation at time of publication.