CVE-2023-20790: 
NixOS vulnerability analysis and mitigation

CVE-2023-20790 is a medium severity vulnerability discovered in the nvram component of MediaTek chipsets. The vulnerability was disclosed on August 7, 2023, and affects multiple MediaTek chipset models across various software platforms including Android 12.0/13.0, OpenWrt 19.07/21.02, RDK-B 22Q3, and Yocto 2.6/3.3. The issue stems from a possible out-of-bounds write condition due to a missing bounds check (MediaTek Bulletin).

The vulnerability is classified as an Improper Input Validation (CWE-20) issue with a CVSS v3.1 Base Score of 4.4 (MEDIUM) and vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The vulnerability requires local access and high privileges for exploitation, but no user interaction is needed. The vulnerability specifically affects the nvram component where a missing bounds check can lead to an out-of-bounds write condition (NVD).

If exploited, this vulnerability could lead to local information disclosure with System execution privileges. The impact is limited to information disclosure without affecting system integrity or availability (MediaTek Bulletin).

MediaTek has released security patches to address this vulnerability. The fix has been distributed to device OEMs at least two months before the public disclosure. Users should ensure their devices are updated with the latest security patches (MediaTek Bulletin).