First published: Tue Nov 23 2021(Updated: )
A flaw was found in the vhost library in DPDK. Function vhost_user_set_inflight_fd() does not validate `msg->payload.inflight.num_queues`, possibly causing out-of-bounds memory read/write. Any software using DPDK vhost library may crash as a result of this vulnerability.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/openvswitch2.13 | <0:2.13.0-180.el8fd | 0:2.13.0-180.el8fd |
redhat/openvswitch2.15 | <0:2.15.0-99.el8fd | 0:2.15.0-99.el8fd |
redhat/openvswitch2.16 | <0:2.16.0-74.el8fd | 0:2.16.0-74.el8fd |
redhat/dpdk | <2:21.11.2-1.el9_1 | 2:21.11.2-1.el9_1 |
Dpdk Data Plane Development Kit | <22.03 | |
Dpdk Data Plane Development Kit | =22.03-rc1 | |
Dpdk Data Plane Development Kit | =22.03-rc2 | |
Dpdk Data Plane Development Kit | =22.03-rc3 | |
Fedoraproject Fedora | =35 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 | |
Redhat Enterprise Linux Fast Datapath | =7.0 | |
Redhat Enterprise Linux Fast Datapath | =8.0 |
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-3839 is a vulnerability in the vhost library in DPDK that can cause out-of-bounds memory read/write, potentially leading to a crash.
The severity level of CVE-2021-3839 is high, with a CVSS score of 7.5.
Any software using DPDK vhost library may be affected by CVE-2021-3839.
To fix CVE-2021-3839, upgrade to DPDK version 22.03 or apply the relevant patches provided by Red Hat.
You can find more information about CVE-2021-3839 in the references provided: [link1](https://github.com/DPDK/dpdk/commit/6442c329b9d2ded0f44b27d2016aaba8ba5844c5), [link2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2081486), [link3](https://access.redhat.com/errata/RHSA-2022:4786).