CVE-2024-20087: 
NixOS vulnerability analysis and mitigation

CVE-2024-20087 is a vulnerability discovered in MediaTek's vdec component, reported by MediaTek, Inc. The vulnerability was disclosed on September 2, 2024. It affects various MediaTek chipsets running Android 12.0, including MT6765, MT6768, MT6779, MT6785, MT8385, MT8666, MT8667, MT8766, MT8768, MT8781, MT8788, and MT8789 (MediaTek Bulletin).

The vulnerability is classified as an out-of-bounds write (CWE-787) due to a missing bounds check in the vdec component. The severity is rated as MEDIUM with a CVSS v3.1 base score of 6.7, with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. CISA-ADP has assessed it with a higher CVSS score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to local escalation of privilege if successfully exploited. The attacker would need System execution privileges for exploitation, and no user interaction is required. The vulnerability affects the confidentiality, integrity, and availability of the system with high impact (NVD).

MediaTek has developed patches for the affected devices and has notified device OEMs of the security patches at least two months before the public disclosure. Users should ensure their devices are updated with the latest security patches provided by their device manufacturers (MediaTek Bulletin).