CVE-2020-12753: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2020-12753) was discovered in LG mobile devices running Android OS versions 7.2, 8.0, 8.1, 9, and 10 software. The vulnerability, identified in May 2020 with LG ID LVE-SMP-200006, allows arbitrary code execution via the bootloader due to an EL1/EL3 coldboot vulnerability involving raw_resources. This security flaw affects approximately seven years of LG Android smartphones, dating back to the LG Nexus 5 series (ZDNet).

The vulnerability exists in the bootloader component's graphics package, specifically in the raw_resources partition that stores boot graphics for Download Mode, fastboot graphics, and charging graphics. The flaw allows attackers to exploit unchecked offs_x and offs_y parameters during image decompression, leading to controlled arbitrary write in both SBL1 and aboot environments. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, the vulnerability enables attackers to gain control over the bootloader and inherently the entire device. This could lead to complete device compromise, allowing unauthorized access to device secrets and potentially bypassing Android's Verified Boot security measures (ZDNet).

LG has released a firmware fix for this vulnerability in the LVE-SMP-200006 security update, which was released in early May 2020. Device owners, particularly those with high-security requirements, are strongly advised to apply this update (ZDNet).