CVE-2024-20084: 
NixOS vulnerability analysis and mitigation

CVE-2024-20084 is a vulnerability discovered in MediaTek's power management system. The vulnerability was disclosed on September 2, 2024, affecting various MediaTek chipsets and multiple software platforms. The issue stems from a missing bounds check in the power component that could lead to an out-of-bounds read vulnerability (MediaTek Bulletin).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) with a CVSS v3.1 Base Score of 4.4 (Medium). The attack vector is Local (AV:L), with Low attack complexity (AC:L), requiring High privileges (PR:H), and No user interaction (UI:N). The scope is Unchanged (S:U), with High confidentiality impact (C:H), but No impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability could lead to local information disclosure if a malicious actor has already obtained System execution privileges. The impact is limited to confidentiality, potentially exposing sensitive information to attackers who have already gained elevated privileges on the system (MediaTek Bulletin).

The vulnerability affects multiple software versions including Android 13.0, 14.0, Yocto 2.6, 3.3, 4.0, openWRT 19.07, 21.02, 23.05, and RDK-B 22Q3. Device OEMs have been notified of the issues and corresponding security patches at least two months before the public disclosure (MediaTek Bulletin).