CVE-2023-20746: 
NixOS vulnerability analysis and mitigation

CVE-2023-20746 is a security vulnerability discovered in MediaTek's vcu (Video Coding Unit) component. The vulnerability was disclosed in June 2023 and affects multiple MediaTek chipsets including MT6789, MT6855, MT8167, MT8168, MT8173, MT8185, MT8195, MT8321, MT8365, MT8395, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, and MT8797. The affected software versions include Android 12.0, 13.0, Yocto 4.0, and Iot-Yocto 22.2 (Vendor Advisory).

The vulnerability is classified as an improper synchronization issue (CWE-662) in the vcu component. It involves a possible out-of-bounds write condition that occurs due to improper locking mechanisms. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.7 (Medium severity) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with high privileges needed (NVD).

The vulnerability can lead to local escalation of privilege with System execution privileges. The successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with elevated system privileges, potentially compromising the security of the affected device (Vendor Advisory).

MediaTek has addressed this vulnerability through security patches. Device manufacturers using affected MediaTek chipsets have been notified of the issues and corresponding security patches at least two months before the public disclosure (Vendor Advisory).