CVE-2026-20412

7.8 HIGH

📋 TL;DR

CVE-2026-20412 is an out-of-bounds write vulnerability in the cameraisp component that allows local privilege escalation. Attackers with initial System privilege access can exploit this without user interaction to gain higher privileges. This affects devices using MediaTek chipsets with vulnerable camera ISP firmware.

💻 Affected Systems

Products:
  • MediaTek chipset devices with cameraisp component
Versions: Specific versions not detailed in advisory; all versions before patch ALPS10351676
Operating Systems: Android-based systems using MediaTek chipsets
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices where camera ISP firmware is vulnerable; requires System privilege for initial access.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code with kernel privileges, potentially installing persistent malware or accessing all system data.

🟠

Likely Case

Local privilege escalation from System to kernel-level access, enabling further system manipulation and persistence mechanisms.

🟢

If Mitigated

Limited impact if proper privilege separation and SELinux/app sandboxing are enforced, though kernel compromise remains possible.

🌐 Internet-Facing: LOW - Requires local access and System privilege, not directly exploitable over network.
🏢 Internal Only: HIGH - Malicious insiders or compromised System-level processes can exploit this for full system control.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires System privilege first, then exploitation involves triggering the bounds check bypass. No user interaction needed once initial access obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patch ID: ALPS10351676

Vendor Advisory: https://corp.mediatek.com/product-security-bulletin/February-2026

Restart Required: Yes

Instructions:

1. Contact device manufacturer for firmware update containing patch ALPS10351676. 2. Apply firmware update through official channels. 3. Reboot device after update completion.

🔧 Temporary Workarounds

Restrict System Privilege Access

android

Limit which applications and users can obtain System privilege through SELinux policies and app sandboxing.

Review and tighten SELinux policies: getenforce
Audit apps with system privileges: pm list packages -f

🧯 If You Can't Patch

  • Implement strict application sandboxing and SELinux enforcement to limit System privilege access
  • Monitor for suspicious privilege escalation attempts and restrict camera hardware access to trusted applications only

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against manufacturer's patched versions; examine if cameraisp component is present and vulnerable.

Check Version:

Check firmware/build version: getprop ro.build.fingerprint

Verify Fix Applied:

Verify patch ALPS10351676 is applied in firmware version and test camera functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected privilege escalation attempts
  • Camera ISP component crashes or abnormal behavior
  • SELinux denials related to cameraisp

Network Indicators:

  • Not network exploitable; focus on local system monitoring

SIEM Query:

Process elevation from System to kernel context without legitimate cause OR Camera ISP component access violations

📊 Metadata

CVE ID: CVE-2026-20412
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This