CVE-2025-20656: 
NixOS vulnerability analysis and mitigation

CVE-2025-20656 is a high-severity vulnerability discovered in MediaTek's DA (Direct Access) component. The vulnerability was disclosed on April 7, 2025, affecting multiple MediaTek chipsets across various Android versions, OpenWRT, Yocto, and RDK-B platforms. This security flaw was internally discovered by MediaTek and has been assigned CWE-787 (Out-of-bounds Write) classification (MediaTek Bulletin).

The vulnerability is characterized as an out-of-bounds write condition due to a missing bounds check in the DA component. It has received a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The affected systems include various MediaTek chipsets (MT6781, MT6789, MT6835, MT6855, MT6878, MT6879, MT6886, MT6895, MT6897, MT6983, MT6985, MT6989, MT6990, MT8196, MT8370, MT8390) running on Android versions 12.0, 13.0, 14.0, 15.0, openWRT 21.02, 23.05, Yocto 4.0, and RDK-B 24Q1 (NIST NVD, MediaTek Bulletin).

The vulnerability could lead to local escalation of privilege if an attacker has physical access to the device. No additional execution privileges are required for exploitation, and user interaction is not needed. This makes the vulnerability particularly concerning for devices that might be physically accessible to potential attackers (MediaTek Bulletin).

MediaTek has released security patches for the affected devices and has notified device OEMs of the vulnerability at least two months before public disclosure. Users are advised to update their devices to the latest available software version that includes the security patch ALPS09625423 (MediaTek Bulletin).

The vulnerability has been included in Google's Android Security Bulletin for April 2025 as part of the MediaTek components security update. Security researchers have classified this as one of several high-rated vulnerabilities affecting Android MediaTek components (Security Online).