CVE-2023-20726: 
NixOS vulnerability analysis and mitigation

CVE-2023-20726 is a security vulnerability discovered in the mnld (MediaTek GNSS Location Daemon) component affecting various MediaTek chipsets. The vulnerability was disclosed on May 15, 2023, and involves a potential leak of GPS location information due to a missing permission check. This vulnerability affects multiple MediaTek chipset series including MT6880, MT6890, MT6980, MT6980D, and MT6990, among others, running on Android versions 11.0, 12.0, 13.0, OpenWrt 19.07 and 21.02, Yocto 2.6 and 3.3, and RDKB 2022Q3 (MediaTek Bulletin).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 3.3 (Low), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability exists due to improper access control in the mnld component, which handles GPS location services. The issue stems from a missing permission check that could allow unauthorized access to GPS location data. No additional execution privileges are required for exploitation, and user interaction is not needed (NVD).

The vulnerability can lead to local information disclosure of GPS location data. This means that an unauthorized local attacker could potentially access sensitive location information without proper authorization. The impact is limited to information disclosure with no ability to modify or destroy data (MediaTek Bulletin).

MediaTek has addressed this vulnerability through patches identified as ALPS07735968 / ALPS07884552, specifically for MT6880, MT6890, MT6980, MT6980D and MT6990 chipsets. Device manufacturers have been notified of the issues and corresponding security patches at least two months before the public disclosure (MediaTek Bulletin).