CVE-2025-20695: 
NixOS vulnerability analysis and mitigation

CVE-2025-20695 is a buffer underflow vulnerability discovered in MediaTek's Bluetooth firmware (FW). The vulnerability was disclosed on July 7, 2025, and affects multiple MediaTek chipsets including MT6639, MT6653, MT6985, MT6989, MT6990, MT6991, MT7925, MT7927, MT8196, MT8678, and MT8796. The affected software versions include Android 13.0, 14.0, 15.0, SDK release 3.7 and earlier versions, and OpenWRT versions 21.02 and 23.05 (MediaTek Bulletin).

The vulnerability is classified as a buffer underflow (CWE-124) in the Bluetooth firmware that occurs due to an uncaught exception. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating adjacent network attack vector, low attack complexity, no privileges required, and no user interaction needed (NVD).

The exploitation of this vulnerability could lead to remote denial of service (DoS) with no additional execution privileges needed. The attack can be executed without requiring user interaction, potentially causing system crashes in affected devices (MediaTek Bulletin).

MediaTek has released security patches to address this vulnerability. Device OEMs were notified of the issue and corresponding security patches at least two months before the public disclosure. Users are advised to update their devices to the latest firmware versions that include these security patches (MediaTek Bulletin).