CVE-2018-21089: 
NixOS vulnerability analysis and mitigation

An issue was discovered on Samsung mobile devices with N(7.x) (MT6755/MT6757 Mediatek models) software. Bootloader has an integer overflow vulnerability that leads to arbitrary code execution via the download offset control. The Samsung ID is SVE-2017-10732, disclosed in January 2018 (NVD).

The vulnerability is classified as an Integer Overflow or Wraparound (CWE-190) that affects the bootloader component. The vulnerability has a CVSS v3.1 Base Score of 9.8 CRITICAL with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates the vulnerability is network accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity and availability (NVD).

The vulnerability allows attackers to execute arbitrary code via the download offset control in the bootloader. Given the CVSS score and vector, successful exploitation could lead to complete compromise of the affected device with no user interaction required (NVD).

The vulnerability affects Android 7.x devices using MT6755/MT6757 Mediatek chipsets. Users should upgrade to newer Android versions if available for their devices. Samsung has addressed this in their security updates (Samsung Mobile).