CVE-2023-20738: 
NixOS vulnerability analysis and mitigation

CVE-2023-20738 is a vulnerability discovered in MediaTek's vcu (Video Coding Unit) component. The vulnerability was disclosed on June 6, 2023, and affects multiple MediaTek chipsets running Android 12.0, 13.0, Yocto 4.0, and Iot-Yocto 22.2 operating systems. The issue stems from a possible out-of-bounds write condition due to a missing bounds check (MediaTek Bulletin).

The vulnerability is classified as a CWE-20 Improper Input Validation issue with a CVSS v3.1 base score of 6.7 (Medium severity). The vulnerability vector is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, high privileges required, no user interaction needed, and high impact on confidentiality, integrity, and availability (NVD).

If exploited, this vulnerability could lead to local escalation of privilege with System execution privileges. The vulnerability affects a wide range of MediaTek chipsets, including MT5696, MT5836, MT5838, MT6768, MT6769, MT6779, and many others, potentially impacting numerous devices running on these platforms (MediaTek Bulletin).

MediaTek has addressed this vulnerability through security patches identified as Patch ID: ALPS07645149 and Issue ID: ALPS07645173. Device manufacturers have been notified of the issues and corresponding security patches at least two months before the public disclosure (MediaTek Bulletin).