Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.6
Device ID Leak in Preloader Software
CVE-2026-20435
Summary
A bug in a component that loads software before the operating system starts could allow someone with physical access to a device to see its unique ID, which could be misused. This only happens if someone with physical access tries to exploit the issue. To stay safe, make sure to apply the latest updates to the preloader software.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| linuxfoundation | yocto | 4.0 | – |
| rdkcentral | rdk-b | 2022q3 | – |
| rdkcentral | rdk-b | 2024q1 | – |
| android | 14.0 | – | |
| android | 15.0 | – | |
| android | 16.0 | – | |
| openwrt | openwrt | 21.02.0 | – |
| openwrt | openwrt | 23.05.0 | – |
| zephyrproject | zephyr | 3.7.0 | – |
Original title
In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no ...
Original description
In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.
nvd CVSS3.1
4.6
Vulnerability type
CWE-522
Insufficiently Protected Credentials
- https://corp.mediatek.com/product-security-bulletin/March-2026 Vendor Advisory
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026