CVE-2022-20059: 
NixOS vulnerability analysis and mitigation

In preloader (usb), there is a possible out of bounds write vulnerability due to a missing bounds check in MediaTek chipsets. This vulnerability was assigned CVE-2022-20059 and was disclosed in March 2022. The vulnerability affects multiple MediaTek chipset models including MT6761, MT6762, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, and several others running Android versions 10.0, 11.0, and 12.0 (MediaTek Bulletin).

The vulnerability is classified as a CWE-787 Out-of-bounds Write issue with a Medium severity rating. The vulnerability exists in the preloader USB component where a missing bounds check can lead to an out-of-bounds write condition. The vulnerability requires physical access to the device and user interaction for successful exploitation (MediaTek Bulletin).

If exploited, this vulnerability could lead to local escalation of privilege. The attacker would need physical access to the device, but no additional execution privileges would be required. The vulnerability requires user interaction to be exploited (MediaTek Bulletin).

MediaTek has released security patches to address this vulnerability. Device OEMs were notified of the issue and corresponding security patches at least two months before the public disclosure. Users should ensure their devices are updated with the latest security patches (MediaTek Bulletin).