feat(hw-fw): CVE-2023-20819 modem-family version_regex — forward-prepared

Reviewer B 2026-05-15-PM HIGH carried-forward from postmortem-hw-firmware-
tegra-activation-2026-05-15. Per Rule digitalandrew#19 recursive NVD-CPE
verification, NVD CPE narrows CVE-2023-20819 to exactly 6 MediaTek
modem-OS families: lr11 / lr12a / lr13 / nr15 / nr16 / nr17. The
hardware chipset CPEs (66 entries MT2731..MT8798) are sibling
AND-nodes describing the runtime substrate, NOT version anchors.

Pre-narrowing the entry fired on EVERY MediaTek modem blob (20 rows
current corpus) regardless of family. Post-narrowing, the
version_regex restricts firings to blobs whose `version` field
contains an NVD-CPE-affected family token.

NVD-CPE verification (recursive — implementer-side WebFetch in scout
report + this commit re-verifies regex against published CPE strings):
  - cpe:2.3:o:mediatek:lr11:-:*:*:*:*:*:*:*
  - cpe:2.3:o:mediatek:lr12a:-:*:*:*:*:*:*:*
  - cpe:2.3:o:mediatek:lr13:-:*:*:*:*:*:*:*
  - cpe:2.3:o:mediatek:nr15:-:*:*:*:*:*:*:*
  - cpe:2.3:o:mediatek:nr16:-:*:*:*:*:*:*:*
  - cpe:2.3:o:mediatek:nr17:-:*:*:*:*:*:*:*

Regex shape (boundary-aware, case-insensitive):
  (?i)(?:^|[^a-z0-9])(lr11|lr12a|lr13|nr15|nr16|nr17)(?:[^a-z0-9]|$)

Boundary check (`(?:^|[^a-z0-9])` / `(?:[^a-z0-9]|$)`) prevents false
positives on confused substrings — e.g. `nr155_else` (nr155 ≠ nr15)
and `lr12abc` (lr12abc ≠ lr12a). Tolerates dot, underscore, and
end-of-string separators per the canonical MOLY banner shapes
(MOLY.LR12A.R3.MP.V101 / MOLY_NR16_R1 / bare `lr12a`).

Forward-prepared per Tegra precedent (Pattern digitalandrew#3 from postmortem-hw-
firmware-tegra-activation-2026-05-15 — forward-prepared CVE pins ship
with documented activation conditions; activate via N follow-up
commits when extraction infrastructure lands). Current state:
  - mtk_modem parser DOES NOT populate blob.version with MOLY banner
    (Scout 3 verified via parsers/mediatek_modem.py:46-50 _VERSION_RES
    regex set — none of the patterns capture lr11..nr17)
  - matcher version_regex semantics are HARD REJECT (Scout 3 verified
    via cve_matcher.py:480-491; comment confirms "Stays STRICT — when
    present, version evidence MUST be found")
  - Net corpus effect post-rebuild: CVE-2023-20819 row count
    20 → 0 (BETTER than the over-attributed pre-narrowing rows per
    Reviewer B's NVD-CPE evidence; activates when mtk_modem parser
    ships version-banner extraction in a future session)

5 new paired-canary tests (Rule #46):
  - test_cve_2023_20819_version_regex_present_and_matches_six_families
    (positive: all 6 NVD families in real-world MOLY banner shapes;
     negative: LR18/NR18/LR12 out-of-scope + confused-substring
     guards `nr155_else` and `lr12abc`)
  - test_cve_2023_20819_hard_rejects_blob_with_null_version (gate-
    canary asserts the matcher's HARD-REJECT version_regex semantics
    actually fire on NULL — without this, a silent regression to
    soft-fallback would re-introduce the over-attribution)
  - test_cve_2023_20819_fires_when_version_contains_lr12a (Rule #46
    positive-arm — confirms the gate doesn't silently drop all
    matches due to a regex bug; activates with mtk_modem parser
    shipment)
  - test_cve_2023_20819_excludes_out_of_scope_family_versions (Rule
    #46 negative-arm — even with MOLY banner present, out-of-NVD-
    scope families like LR18 must not fire)
  - test_cve_2023_20819_entry_satisfies_f_forensic_10_gate (asserts
    the entry survives the F-FORENSIC-10 load filter)

Verification: all 5 new tests pass; full cve_matcher + forensic10
alignment suite (98 tests) passes under
`uv run --frozen pytest backend/tests/test_hardware_firmware_cve_matcher.py
 backend/tests/test_forensic10_alignment.py -v`.

References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-20819
- M-MOLY01068234 (MediaTek PSB)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: eastmadc

backend/app/services/hardware_firmware/known_firmware.yaml

@@ -394,6 +394,26 @@ families:
     vendor: mediatek
     category: modem
     category_regex: "^modem$"
+    # Reviewer B 2026-05-15-PM HIGH: NVD CPE narrows CVE-2023-20819 to
+    # exactly 6 MediaTek modem-OS families (lr11, lr12a, lr13, nr15,
+    # nr16, nr17). NVD lists 66 hardware chipset CPEs (MT2731..MT8798)
+    # as sibling AND-nodes describing the runtime substrate, not as
+    # version anchors. version_regex below is HARD-REJECT (cve_matcher
+    # version_regex semantics, lines ~480-491) — gate fires zero matches
+    # until the mtk_modem parser populates blob.version with the MOLY
+    # banner (e.g. ``MOLY.LR12A.R3.MP.V101``) OR a metadata string
+    # carrying the family token. Forward-prepared per Tegra precedent
+    # (postmortem-hw-firmware-tegra-activation-2026-05-15 Pattern #3 —
+    # forward-prepared CVE pins ship with documented activation
+    # conditions; activate via N follow-up commits when extraction
+    # infrastructure lands).
+    # Per Rule #19 recursive NVD-CPE verification: 6 family values are
+    # NVD-CPE-derived (cpe:2.3:o:mediatek:{lr11,lr12a,lr13,nr15,nr16,
+    # nr17}:-:*) NOT intuition. Eliminates the over-attribution risk
+    # surfaced by Reviewer B: pre-narrowing, every MediaTek modem blob
+    # fired CVE-2023-20819 (20 rows) regardless of family — post-
+    # narrowing, only blobs with one of the 6 affected families fire.
+    version_regex: "(?i)(?:^|[^a-z0-9])(lr11|lr12a|lr13|nr15|nr16|nr17)(?:[^a-z0-9]|$)"
     cves:
       - CVE-2023-20819
     severity: critical
@@ -403,6 +423,7 @@ families:
       from malicious base station.  LR11/LR12a/LR13/NR15/NR16/NR17
       firmware branches affected; no extractable banner without DbgInfo
       sidecar (cyrozap mediatek-lte-baseband-re notes).
+      Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-20819
 
   - name: MediaTek modem 5G NAS RCE cluster (Feb 2024)
     vendor: mediatek

backend/tests/test_hardware_firmware_cve_matcher.py

@@ -1971,6 +1971,222 @@ def test_tegra_cve_pins_cvss_scores_match_nvd_primary() -> None:
         )
 
 
+# ---------------------------------------------------------------------------
+# MediaTek modem CDMA PPP RCE (CVE-2023-20819) version-regex narrowing —
+# Reviewer B 2026-05-15-PM HIGH carried-forward from postmortem
+# hw-firmware-tegra-activation-2026-05-15. NVD CPE narrows the CVE to
+# exactly 6 MediaTek modem-OS families: lr11 / lr12a / lr13 / nr15 /
+# nr16 / nr17 (cpe:2.3:o:mediatek:<family>:-:* lines per the NVD JSON).
+# Pre-narrowing the entry fired on every MediaTek modem blob (20 rows
+# currently); post-narrowing the version_regex hard-rejects blobs whose
+# `version` field doesn't match one of the 6 families.
+#
+# Forward-prepared per the Tegra precedent (Pattern #3 from postmortem-
+# hw-firmware-tegra-activation-2026-05-15) — mtk_modem parser does not
+# yet harvest MOLY family banners from modem.img blobs. Once it does,
+# this pin activates without further changes. Until then, the entry
+# emits zero CVE rows (better than the 20 over-attributed pre-narrowing
+# rows per Reviewer B's NVD-CPE evidence).
+# ---------------------------------------------------------------------------
+
+
+def test_cve_2023_20819_version_regex_present_and_matches_six_families() -> None:
+    """The CVE-2023-20819 entry carries a version_regex covering exactly
+    the 6 NVD-CPE-affected MediaTek modem-OS families.
+
+    Per Rule #19 recursive NVD-CPE verification — the regex's enumerated
+    values (lr11/lr12a/lr13/nr15/nr16/nr17) are NVD-CPE-derived from
+    direct WebFetch on services.nvd.nist.gov/.../cves/2.0?cveId=
+    CVE-2023-20819 (not intuition).
+    """
+    import re as _re
+
+    families = _load_known_firmware()
+    fam = _find_family_by_cve(list(families), "CVE-2023-20819")
+    assert fam is not None, "CVE-2023-20819 entry missing from YAML"
+    version_re = fam.get("version_regex")
+    assert version_re, (
+        "CVE-2023-20819 entry missing version_regex — Reviewer B 2026-"
+        "05-15-PM HIGH realignment regression. NVD CPE narrows to 6 "
+        "specific modem-OS families; entry without version_regex fires "
+        "on every MediaTek modem blob"
+    )
+    patt = _re.compile(version_re, _re.IGNORECASE)
+
+    # Positive — the 6 NVD-CPE-affected families, in real-world MOLY
+    # banner shapes the mtk_modem parser will eventually emit:
+    positive_cases = (
+        "MOLY.LR11.R2.MP.V42",
+        "MOLY.LR12A.R3.MP.V101",
+        "MOLY.LR13.R1.MP.V1",
+        "MOLY.NR15.R1.MP.V1",
+        "MOLY.NR16.R1.MP.V1",
+        "MOLY.NR17.R1.MP.V1",
+        # bare lowercase forms (defensive — operator-supplied banners
+        # may not preserve case)
+        "lr12a",
+        "nr16",
+        # underscore-separated form (some parser banners use _ separator)
+        "MOLY_NR16_R1",
+    )
+    for s in positive_cases:
+        assert patt.search(s), (
+            f"version_regex missed NVD-scope family in {s!r} — should "
+            "match one of (lr11/lr12a/lr13/nr15/nr16/nr17)"
+        )
+
+    # Negative — out-of-scope families that NVD does NOT list:
+    negative_cases = (
+        "MOLY.LR18.MP.V1",
+        "MOLY.NR18.MP.V1",
+        "MOLY.NR12.MP.V1",
+        # Confused-substring guards — boundary regex must NOT match
+        # these even though the family token appears as a substring:
+        "somewhere_nr155_else",  # nr155 is not nr15
+        "somewhere_lr12abc",  # lr12abc is not lr12a
+        # Pre-MOLY blobs (no version evidence)
+        "",
+    )
+    for s in negative_cases:
+        assert not patt.search(s), (
+            f"version_regex over-matched out-of-scope family in {s!r} — "
+            "NVD CPE only enumerates 6 families; this regex must not "
+            "fire on other tokens. Risk: re-introducing over-attribution "
+            "Reviewer B 2026-05-15-PM flagged"
+        )
+
+
+def test_cve_2023_20819_hard_rejects_blob_with_null_version() -> None:
+    """Rule #46 gate-canary: confirms the matcher HARD-REJECTS
+    CVE-2023-20819 on a blob without an extractable MOLY family.
+
+    cve_matcher version_regex semantics are HARD-REJECT — when set, the
+    matcher requires version evidence to fire (cve_matcher.py lines
+    ~480-491; ``Stays STRICT — when present, version evidence MUST be
+    found``). Soft-fallback applies to chipset_regex only. This test
+    confirms the gate's hard-reject path actually fires; without it, a
+    silent semantics regression to soft-fallback (which would re-
+    introduce the over-attribution Reviewer B caught) would go
+    undetected.
+
+    Forward-prepared: today the mtk_modem parser does NOT populate
+    blob.version with the MOLY banner; this test asserts the CVE row
+    is suppressed. When parser shipment lands, a paired positive-arm
+    test should land alongside (operator-targeted naming:
+    test_cve_2023_20819_fires_when_mtk_modem_emits_lr12a).
+    """
+    blob = _make_blob(
+        vendor="mediatek",
+        category="modem",
+        version=None,  # mtk_modem parser doesn't populate this today
+        chipset_target=None,
+        metadata={},
+    )
+    matches = _match_curated(blob, _load_known_firmware())
+    cve_ids = {m.cve_id for m in matches}
+    assert "CVE-2023-20819" not in cve_ids, (
+        "CVE-2023-20819 fired on a MediaTek modem blob WITHOUT MOLY "
+        "version evidence — Reviewer B 2026-05-15-PM realignment "
+        "regression. version_regex must HARD-REJECT on NULL version "
+        "to prevent over-attribution on the 20 modem blobs currently "
+        "in corpus that have NULL version_extracted. Investigate "
+        "whether matcher semantics regressed from hard-reject to "
+        "soft-fallback"
+    )
+
+
+def test_cve_2023_20819_fires_when_version_contains_lr12a() -> None:
+    """Rule #46 positive-arm canary: when blob.version contains an
+    NVD-CPE-affected family token, the CVE row IS emitted.
+
+    Forward-prepared shape: this test synthesizes the expected blob
+    state once the mtk_modem parser harvests MOLY banners. Confirms
+    the version_regex correctly fires on the in-scope shape; without
+    it, a regex bug that silently dropped all matches would go
+    undetected.
+    """
+    blob = _make_blob(
+        vendor="mediatek",
+        category="modem",
+        version="MOLY.LR12A.R3.MP.V101",
+        chipset_target=None,
+        metadata={},
+    )
+    matches = _match_curated(blob, _load_known_firmware())
+    cve_ids = {m.cve_id for m in matches}
+    assert "CVE-2023-20819" in cve_ids, (
+        "CVE-2023-20819 did NOT fire on a MediaTek modem blob with "
+        "MOLY.LR12A version evidence — version_regex shape may have "
+        "regressed; NVD CPE explicitly lists lr12a as in-scope"
+    )
+
+
+def test_cve_2023_20819_excludes_out_of_scope_family_versions() -> None:
+    """Rule #46 negative-arm canary: blobs with out-of-NVD-scope family
+    (e.g. LR18 / NR18 / LR14) MUST NOT fire CVE-2023-20819.
+
+    The over-attribution risk Reviewer B flagged is firing on EVERY
+    MediaTek modem blob; this test asserts the in-corpus shape where
+    a blob HAS a MOLY family but it's outside NVD scope still produces
+    zero CVE-2023-20819 rows.
+    """
+    for out_of_scope_version in (
+        "MOLY.LR18.MP.V1",
+        "MOLY.NR18.MP.V1",
+        "MOLY.LR14.MP.V1",
+    ):
+        blob = _make_blob(
+            vendor="mediatek",
+            category="modem",
+            version=out_of_scope_version,
+            chipset_target=None,
+            metadata={},
+        )
+        matches = _match_curated(blob, _load_known_firmware())
+        cve_ids = {m.cve_id for m in matches}
+        assert "CVE-2023-20819" not in cve_ids, (
+            f"CVE-2023-20819 fired on blob with out-of-NVD-scope "
+            f"version {out_of_scope_version!r} — version_regex "
+            "appears to over-match beyond NVD's 6-family scope "
+            "(lr11/lr12a/lr13/nr15/nr16/nr17)"
+        )
+
+
+def test_cve_2023_20819_entry_satisfies_f_forensic_10_gate() -> None:
+    """Rule #46 gate-confirmation canary: the CVE-2023-20819 entry's
+    version_regex is one of the 4 narrowing-field allowlist members,
+    so the F-FORENSIC-10 gate accepts the entry at load time.
+
+    Confirms the realignment doesn't accidentally land in a shape
+    that the gate would silently reject (which would cause
+    CVE-2023-20819 to disappear from the loaded family list, NOT
+    fire on any blob, and silently regress the curated coverage).
+    """
+    families = _load_known_firmware()
+    fam = _find_family_by_cve(list(families), "CVE-2023-20819")
+    assert fam is not None, (
+        "CVE-2023-20819 entry was REJECTED by the F-FORENSIC-10 gate "
+        "at load time — version_regex isn't satisfying the narrowing "
+        "requirement. Re-check the entry shape"
+    )
+    from app.services.hardware_firmware.cve_matcher import (
+        _KNOWN_FIRMWARE_NARROWING_FIELDS,
+    )
+
+    has_narrowing = any(
+        fam.get(field) is not None
+        for field in _KNOWN_FIRMWARE_NARROWING_FIELDS
+    )
+    assert has_narrowing, (
+        "CVE-2023-20819 entry shipped without ANY narrowing field — "
+        "F-FORENSIC-10 gate would reject"
+    )
+    assert fam.get("version_regex"), (
+        "CVE-2023-20819 entry should carry the version_regex specifically "
+        "(per Reviewer B 2026-05-15-PM NVD-CPE-derived narrowing)"
+    )
+
+
 # ---------------------------------------------------------------------------
 # F-FORENSIC-10 schema gate analog (Reviewer B B1 2026-05-15) — CVE-bearing
 # entries MUST set at least one narrowing field beyond vendor + category