Vulnerability Description
A flaw was found in the vhost library in DPDK. Function vhost_user_set_inflight_fd() does not validate `msg->payload.inflight.num_queues`, possibly causing out-of-bounds memory read/write. Any software using DPDK vhost library may crash as a result of this vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dpdk | Data Plane Development Kit | < 22.03 |
| Fedoraproject | Fedora | 35 |
| Redhat | Enterprise Linux | 7.0 |
| Redhat | Enterprise Linux Fast Datapath | 7.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/security/cve/CVE-2021-3839Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2025882Issue TrackingPatchThird Party Advisory
- https://github.com/DPDK/dpdk/commit/6442c329b9d2ded0f44b27d2016aaba8ba5844c5PatchThird Party Advisory
- https://access.redhat.com/security/cve/CVE-2021-3839Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2025882Issue TrackingPatchThird Party Advisory
- https://github.com/DPDK/dpdk/commit/6442c329b9d2ded0f44b27d2016aaba8ba5844c5PatchThird Party Advisory
FAQ
What is CVE-2021-3839?
CVE-2021-3839 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in the vhost library in DPDK. Function vhost_user_set_inflight_fd() does not validate `msg->payload.inflight.num_queues`, possibly causing out-of-bounds memory read/write. Any softwar...
How severe is CVE-2021-3839?
CVE-2021-3839 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3839?
Check the references section above for vendor advisories and patch information. Affected products include: Dpdk Data Plane Development Kit, Fedoraproject Fedora, Redhat Enterprise Linux, Redhat Enterprise Linux Fast Datapath.