CVE-2020-25672: 
Linux Kernel vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2020-25672) was discovered in the Linux kernel's NFC LLCP protocol implementation, specifically in the llcpsockconnect function. The vulnerability was discovered by Kiyin (尹亮) of TenCent and was publicly disclosed on November 1, 2020 (OSS Security).

The vulnerability occurs in the llcpsockconnect function where memory allocated for llcpsock->servicename using kmemdup is not properly freed when nfcllcpsendconnect fails. This leads to a memory leak condition that can be triggered repeatedly since the socket state remains in LLCPCLOSED, allowing multiple calls to llcpsockconnect (OSS Security). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

A local user could exploit this vulnerability to cause a denial of service through memory exhaustion (Debian Security). The memory leak can be triggered repeatedly, potentially leading to system resource depletion.

The vulnerability has been fixed in various Linux distributions through security updates. For example, Debian 9 (Stretch) addressed this in linux version 4.9.272-1 and linux-4.19 version 4.19.194-1~deb9u1 (Debian Security). Fedora has also released fixes in kernel versions 5.11.14 for Fedora 32, 33, and 34 (Fedora Updates).