CVE-2023-20718: 
NixOS vulnerability analysis and mitigation

CVE-2023-20718 is a security vulnerability discovered in MediaTek's vcu (Video Codec Unit) component. The vulnerability was disclosed in May 2023 and affects various MediaTek chipsets used in Android devices and IoT systems. The issue stems from a missing bounds check that could lead to an out-of-bounds write condition (MediaTek Bulletin).

The vulnerability is classified as a medium severity issue with a CWE-20 (Improper Input Validation) designation. It requires system execution privileges for exploitation and no user interaction is needed. The vulnerability affects multiple MediaTek chipset series including MT6768, MT6769, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6855, MT6873, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8168, MT8175, MT8195, MT8365, MT8395, MT8673, MT8781, MT8786, MT8789, MT8791T, and MT8797. The affected software versions include Android 11.0, 12.0, 13.0, and IoT-Yocto 22.2 (Yocto 4.0) (MediaTek Bulletin).

If exploited, this vulnerability could lead to local escalation of privilege when an attacker has system execution privileges. The vulnerability's nature (out-of-bounds write) could potentially allow an attacker to manipulate memory contents, potentially leading to system compromise (NVD).

MediaTek has addressed this vulnerability and notified device OEMs of the security patches at least two months before the public disclosure. Users should ensure their devices are updated with the latest security patches provided by their device manufacturers (MediaTek Bulletin).