CVE-2025-20749: 
NixOS vulnerability analysis and mitigation

CVE-2025-20749 is a stack overflow vulnerability discovered in the charger component of MediaTek chipsets. The vulnerability was disclosed on November 4, 2025, and involves a possible out-of-bounds write due to a missing bounds check. This security flaw affects multiple MediaTek chipset models including MT6789, MT6835, MT6855, MT6878, MT6879, MT6886, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8169, MT8188, MT8195, MT8196, MT8781, and MT8796 (MediaTek Bulletin).

The vulnerability is classified as a Stack-based Buffer Overflow (CWE-121) and Out-of-bounds Write (CWE-787). According to the CVSS 3.1 scoring system, it received a medium severity rating with a base score of 6.7. The attack vector is Local (AV:L), with Low attack complexity (AC:L), requiring High privileges (PR:H), and No user interaction (UI:N). The scope is Unchanged (S:U), with High impacts on Confidentiality (C:H), Integrity (I:H), and Availability (A:H) (NVD).

If exploited, this vulnerability could lead to local escalation of privilege, but only if a malicious actor has already obtained System privilege. The vulnerability affects the charger component and could potentially allow unauthorized write operations outside of intended buffer boundaries (MediaTek Bulletin).

MediaTek has addressed this vulnerability with a patch (Patch ID: ALPS09915493). Device OEMs were notified of the issue and corresponding security patches at least two months before the public disclosure (MediaTek Bulletin).