CVE-2025-20747
📋 TL;DR
This vulnerability in the GNSS service allows an out-of-bounds write due to incorrect bounds checking. It enables local privilege escalation if an attacker already has System privilege, requiring no user interaction. This affects devices using MediaTek chipsets with vulnerable GNSS service implementations.
💻 Affected Systems
- MediaTek chipsets with GNSS service
📦 What is this software?
Android by Google
Android by Google
Openwrt by Openwrt
Openwrt by Openwrt
Rdk B by Rdkcentral
Yocto by Linuxfoundation
Zephyr by Zephyrproject
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level access, allowing installation of persistent malware, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation from System to higher privileges, enabling attackers to bypass security controls and execute arbitrary code.
If Mitigated
Limited impact if proper privilege separation and SELinux/app sandboxing are enforced, though kernel-level access may still be possible.
🎯 Exploit Status
Exploitation requires System privilege first, making this a secondary escalation vector. No public exploit available as of advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to patch ID ALPS10010443
Vendor Advisory: https://corp.mediatek.com/product-security-bulletin/November-2025
Restart Required: Yes
Instructions:
1. Check device chipset model. 2. Contact device manufacturer for firmware update. 3. Apply security patch containing fix for MSV-3966. 4. Reboot device after patch installation.
🔧 Temporary Workarounds
Disable GNSS service if not needed
androidTemporarily disable the vulnerable GNSS service component
adb shell pm disable com.mediatek.gnssservice
adb shell stop gnss_service
Restrict System privilege access
allImplement strict access controls to prevent unauthorized System privilege acquisition
🧯 If You Can't Patch
- Implement strict SELinux policies to contain GNSS service
- Monitor for unusual privilege escalation attempts and System privilege abuse
🔍 How to Verify
Check if Vulnerable:
Check device build fingerprint and patch level: adb shell getprop ro.build.fingerprint && adb shell getprop ro.build.version.security_patchCheck Version:
adb shell getprop ro.build.fingerprintVerify Fix Applied:
Verify patch ID ALPS10010443 is present in system updates or contact manufacturer for patch verification📡 Detection & Monitoring
Log Indicators:
- Unexpected GNSS service crashes
- Privilege escalation attempts in audit logs
- SELinux denials related to gnss_service
Network Indicators:
- Unusual GNSS data requests from System-privileged processes
SIEM Query:
source="android_logs" AND (process="gnss_service" AND event="crash") OR (event="privilege_escalation" AND target_process="gnss_service")