CVE-2022-20028: 
NixOS vulnerability analysis and mitigation

CVE-2022-20028 is a high-severity vulnerability discovered in MediaTek's Bluetooth implementation. The vulnerability was identified and disclosed in February 2022, affecting various MediaTek chipsets including MT8167, MT8175, MT8183, MT8362A, MT8365, and MT8385. The issue stems from a possible out-of-bounds write operation due to a missing bounds check in the Bluetooth component (MediaTek Bulletin, NVD).

The vulnerability is classified as a Stack-based Buffer Overflow (CWE-123) that could lead to local escalation of privilege. The technical root cause is attributed to a missing bounds check in the Bluetooth component, which could result in an out-of-bounds write operation. The vulnerability affects Android versions 8.1, 9.0, 10.0, 11.0, and 12.0 running on the affected MediaTek chipsets (MediaTek Bulletin).

The vulnerability could lead to local escalation of privilege with no additional execution privileges needed. No user interaction is required for exploitation, making it particularly concerning. The vulnerability received a High severity rating according to MediaTek's assessment (MediaTek Bulletin).

MediaTek has addressed this vulnerability through security patches and has notified device OEMs of the issues. The patches were provided to OEMs at least two months before the public disclosure in February 2022 (MediaTek Bulletin).