CVE-2024-20085: 
NixOS vulnerability analysis and mitigation

CVE-2024-20085 is a security vulnerability discovered in MediaTek power components. The vulnerability was disclosed on September 2, 2024, and affects multiple MediaTek chipsets including various MT series processors used in Android devices, Yocto, OpenWRT, and RDK-B platforms. This vulnerability is characterized as an out-of-bounds read issue due to a missing bounds check (MediaTek Bulletin).

The vulnerability is classified as CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 4.4 (Medium severity). The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating local access, low attack complexity, high privileges required, no user interaction needed, unchanged scope, high confidentiality impact, and no impact on integrity or availability (NVD).

The vulnerability could lead to local information disclosure if a malicious actor has already obtained System execution privileges. The impact is limited to information disclosure with no effects on system integrity or availability (MediaTek Bulletin).

The vulnerability affects multiple software versions including Android 13.0, 14.0, Yocto 2.6, 3.3, 4.0, openWRT 19.07, 21.02, 23.05, and RDK-B 22Q3. Device OEMs have been notified of the issues and corresponding security patches at least two months before the public disclosure (MediaTek Bulletin).