CVE-2020-21490: 
NixOS vulnerability analysis and mitigation

A memory leak vulnerability was discovered in GNU Binutils version 2.34, specifically in the microblaze-dis.c component. The vulnerability was identified in 2019 and assigned CVE-2020-21490. The issue affects the disassembly functionality of GNU Binutils when processing microblaze instructions (NVD, Ubuntu Notice).

The vulnerability exists in the microblaze-dis.c file where memory is allocated but not properly freed during instruction disassembly. The issue occurs in the getfield function which uses strdup without corresponding memory deallocation, causing memory consumption on each instruction disassembled. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H ([Bugzilla Report](https://sourceware.org/bugzilla/showbug.cgi?id=25249), NVD).

When successfully exploited, this vulnerability can lead to a denial of service condition through memory exhaustion. The memory leak occurs progressively as each instruction is disassembled, potentially consuming system resources over time (NetApp Advisory, Ubuntu Notice).

The vulnerability was fixed in subsequent versions of GNU Binutils. The fix involves implementing a new string buffer management system to properly handle memory allocation and deallocation during instruction disassembly. The patch was committed to the master branch of binutils-gdb repository (Binutils Patch).