CVE-2023-20685: 
NixOS vulnerability analysis and mitigation

CVE-2023-20685 is a medium severity vulnerability discovered in MediaTek's video decoder (vdec) component. The vulnerability was disclosed in April 2023 and affects various MediaTek chipsets running Android 12.0 and 13.0 operating systems. The issue stems from a race condition that could lead to a use-after-free scenario (MediaTek Bulletin).

The vulnerability is classified as a Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) issue, identified as CWE-362. It has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability exists in the video decoder component where improper synchronization can lead to a use-after-free condition (NVD).

If exploited, this vulnerability could lead to local escalation of privilege with System execution privileges. The attack requires no user interaction for exploitation, though it does require the attacker to have local access to the device (MediaTek Bulletin).

The vulnerability affects specific MediaTek chipsets including MT6789, MT6855, MT6879, MT6895, MT6983, MT8673, MT8781, MT8795T, MT8798, and MT8891 running Android 12.0 and 13.0. MediaTek has released patches to address this vulnerability, and device manufacturers have been notified of the issue (MediaTek Bulletin).