CVE-2025-20641: 
NixOS vulnerability analysis and mitigation

CVE-2025-20641 is a security vulnerability discovered in MediaTek's Flash Tool V5 old-arch Lib component, disclosed on February 2, 2025. The vulnerability affects various MediaTek chipsets and Android versions 12.0 through 15.0. It has been assigned a CVSS v3.1 base score of 6.6 (Medium severity) and is identified as an out-of-bounds write vulnerability (CWE-787) (NVD, MediaTek Bulletin).

The vulnerability is characterized as an out-of-bounds write condition due to a missing bounds check in the DA component. The issue has been assigned CWE-787 (Out-of-bounds Write) classification. According to the CVSS v3.1 metrics, the vulnerability requires physical access (AV:P) with low attack complexity (AC:L), needs no privileges (PR:N), requires user interaction (UI:R), and can affect confidentiality, integrity, and availability at high levels (C:H/I:H/A:H) (NVD).

If exploited, this vulnerability could lead to local escalation of privilege on affected devices. The attack requires physical access to the device and user interaction for successful exploitation, but notably requires no additional execution privileges. The vulnerability affects a wide range of MediaTek chipsets, including MT6739, MT6761, MT6765, and numerous others, across multiple Android versions (MediaTek Bulletin).

MediaTek has addressed this vulnerability and notified device OEMs of the security patches at least two months before the public disclosure. Users should ensure their devices are updated with the latest security patches provided by their device manufacturers (MediaTek Bulletin).