Overview
- New reporting from Android-focused outlets says the MediaTek vulnerability may affect more devices than first estimated.
- Ledger’s Donjon team demonstrated the flaw on a Nothing CMF Phone 1, extracting a PIN and wallet seed in under a minute via a pre-boot attack.
- Ledger attributed the issue to Trustonic’s Kinibi TEE on MediaTek chips, a claim Trustonic rejects, saying the same Kinibi version is secure on other SoCs.
- Trustonic adds that Kinibi is not present on all MediaTek chipsets and argues it should not be singled out for the flaw.
- MediaTek distributed a fix to manufacturers on January 5 (CVE-2026-20435), but consumer protection depends on device-makers shipping firmware updates and users installing them.