CVE-2020-8991: 
NixOS vulnerability analysis and mitigation

CVE-2020-8991 is a disputed vulnerability in LVM2 2.02, specifically in the vg_lookup function within daemons/lvmetad/lvmetad-core.c. The issue was identified as a memory leak that can be demonstrated by running the pvs command. RedHat has disputed this CVE as not being a true vulnerability, stating there is no apparent route to either privilege escalation or denial of service through the bug (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 2.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L. The issue is classified under CWE-401 (Missing Release of Memory after Effective Lifetime). The vulnerability requires local access and high privileges to exploit, with potential impact limited to availability (NVD).

The impact of this vulnerability is considered low, as it only results in a memory leak in the lvmetad daemon. There is no evidence of the vulnerability leading to privilege escalation or significant denial of service impacts, which is one of the main reasons why RedHat disputed its classification as a security vulnerability (NVD).

The issue has been fixed in various distributions including Debian's bullseye (2.03.11-2.1), bookworm (2.03.16-2), and sid/trixie (2.03.31-1) releases. Additionally, version 2.03.00 of LVM2 removed lvmetad and the vulnerable code entirely (Debian Tracker).