CVE-2021-3839 — Out-of-bounds Read in Data Plane Development KIT

CWE-125 — Out-of-bounds Read CWE-787 — Out-of-bounds Write8 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 35.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dpdk Dpdk Data Plane Development KIT Fedoraproject Fedora +2 more

Timeline

PublishedAug 23

Latest updateAug 24

Description

A flaw was found in the vhost library in DPDK. Function vhost_user_set_inflight_fd() does not validate `msg->payload.inflight.num_queues`, possibly causing out-of-bounds memory read/write. Any software using DPDK vhost library may crash as a result of this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDdpdk/data_plane_development_kit< 22.03+1

▶Debiandpdk/dpdk< 20.11.5-1~deb11u1+3

▶Ubuntudpdk/dpdk< 19.11.12-0ubuntu0.20.04.1+1

▶CVEListV5dpdk/dpdkFixed in dpdk v22.03

▶NVDredhat/enterprise_linux_fast_datapath7.0, 8.0+1

Also affects: Fedora 35, Enterprise Linux 7.0, 8.0, 9.0

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-c4mq-4x72-rfxj: A flaw was found in the vhost library in DPDK↗2022-08-24

▶

OSV

CVE-2021-3839: A flaw was found in the vhost library in DPDK↗2022-08-23

▶

CVEList

CVE-2021-3839: A flaw was found in the vhost library in DPDK↗2022-08-23

▶

OSV

dpdk vulnerabilities↗2022-05-04

▶

📋Vendor Advisories

Ubuntu

DPDK vulnerabilities↗2022-05-04

▶

Red Hat

DPDK: out-of-bounds read/write in vhost_user_set_inflight_fd() may lead to crash↗2022-04-29

▶

Debian

CVE-2021-3839: dpdk - A flaw was found in the vhost library in DPDK. Function vhost_user_set_inflight_...↗2021

▶