CVE-2024-20022: 
NixOS vulnerability analysis and mitigation

CVE-2024-20022 is a high-severity vulnerability discovered in MediaTek's lk component. The vulnerability stems from a missing bounds check that could lead to local escalation of privilege. This vulnerability affects multiple MediaTek chipsets across various platforms including Android (versions 12.0, 13.0, 14.0), OpenWrt (versions 19.07, 21.02), Yocto (version 3.3), and RDK-B (version 22Q3) (MediaTek Bulletin).

The vulnerability has been assigned a CVSS v3.1 base score of 6.7 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is characterized by improper privilege management (CWE-269) in the lk component, where a missing bounds check creates a security weakness. The vulnerability requires System execution privileges for exploitation, and no user interaction is needed (NVD Database).

If exploited, this vulnerability could allow an attacker to achieve local escalation of privilege if they have already obtained System privileges. The impact spans across multiple MediaTek chipsets including MT2737, MT6789, MT6835, MT6855, MT6879, MT6880, MT6886, MT6890, MT6895, MT6980, MT6983, MT6985, MT6989, MT6990, and several others (MediaTek Bulletin).

MediaTek has addressed this vulnerability through security patches. Device OEMs have been notified of the issues and corresponding security patches at least two months before publication. Users and administrators are advised to update their devices with the latest security patches provided by their device manufacturers (MediaTek Bulletin).