CVE-2020-36790 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

nvmet: fix a memory leak

We forgot to free new_model_number

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 11/07/2025

The vulnerability identified as CVE-2020-36790 represents a memory leak flaw within the Linux kernel's NVMe over Fabrics target implementation. This issue specifically affects the nvmet subsystem responsible for handling NVMe over Fabrics target operations in kernel versions prior to 5.9. The memory leak occurs during the processing of NVMe controller model number information, where the kernel fails to properly release allocated memory resources. This particular flaw manifests when the system handles new model number requests, leaving the memory allocated to new_model_number variable unreleased, which can lead to progressive memory consumption over time. The vulnerability is classified as a memory management issue that directly impacts system stability and resource utilization in environments heavily reliant on NVMe over Fabrics infrastructure.

The technical root cause of this vulnerability stems from inadequate memory management within the nvmet subsystem's handling of model number information. When the kernel processes incoming NVMe controller model number requests, it allocates memory for the new_model_number variable but fails to execute the corresponding deallocation routine. This memory leak represents a classic case of resource management failure where allocated kernel memory is not properly returned to the system's memory pool. The flaw exists in the nvmet subsystem's request processing logic and demonstrates poor adherence to memory lifecycle management principles that are fundamental to kernel security and stability. According to CWE classification, this vulnerability maps to CWE-401: Improper Release of Memory and falls under the broader category of memory management flaws that can lead to resource exhaustion.

The operational impact of CVE-2020-36790 extends beyond simple memory consumption issues, potentially affecting system performance and availability in production environments. While the immediate effect may appear benign, sustained memory leaks can progressively degrade system performance by consuming available memory resources, potentially leading to memory pressure conditions that affect other system processes. In high-availability environments utilizing NVMe over Fabrics target functionality, this vulnerability could contribute to system instability and may require system restarts to recover allocated memory. The vulnerability is particularly concerning in data center environments where NVMe over Fabrics targets are extensively used for high-performance storage networking, as the cumulative effect of memory leaks can impact overall system reliability and resource allocation efficiency.

Mitigation strategies for CVE-2020-36790 primarily involve applying the kernel patch that addresses the memory leak in the nvmet subsystem. System administrators should upgrade to kernel versions 5.9 or later where this vulnerability has been resolved through proper memory management implementation. The fix ensures that the new_model_number variable memory is properly released after processing, preventing the accumulation of unreleased memory fragments. Organizations should conduct thorough testing of kernel upgrades in non-production environments to verify compatibility with existing NVMe over Fabrics infrastructure. Additionally, monitoring systems should be implemented to detect memory consumption patterns that might indicate similar memory management issues in other kernel subsystems. From an ATT&CK framework perspective, this vulnerability could be leveraged by adversaries to perform resource exhaustion attacks, potentially leading to denial of service conditions, making proactive patch management essential for maintaining system security and availability.

Responsible

Linux

Reservation

02/26/2024

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00140

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!