CVE-2023-20736: 
NixOS vulnerability analysis and mitigation

CVE-2023-20736 is a security vulnerability discovered in MediaTek's vcu (Video Codec Unit) component. The vulnerability was disclosed in June 2023 and affects multiple MediaTek chipsets including MT6768, MT6769, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8168, MT8365, and MT8395. The affected software versions include Android 12.0, 13.0, Yocto 4.0, and Iot-Yocto 22.2 (MediaTek Bulletin).

The vulnerability is classified as a race condition that could lead to an out-of-bounds write in the vcu component. It has been assigned CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-787 (Out-of-bounds Write) classifications. The vulnerability received a CVSS v3.1 base score of 6.4 (Medium), with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating local access, high attack complexity, high privileges required, no user interaction needed, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability could lead to local escalation of privilege with System execution privileges. The successful exploitation of this vulnerability could allow an attacker to execute code with elevated system privileges, potentially compromising the security of the affected device (MediaTek Bulletin).

MediaTek has addressed this vulnerability through security patches identified as Patch ID: ALPS07645149 and Issue ID: ALPS07645189. Device manufacturers using affected MediaTek chipsets should apply the necessary security updates to mitigate this vulnerability (MediaTek Bulletin).