CVE-2024-11614

Publication date 18 December 2024

Last updated 1 January 2025

Ubuntu priority

An out-of-bounds read vulnerability was found in DPDK's Vhost library checksum offload feature. This issue enables an untrusted or compromised guest to crash the hypervisor's vSwitch by forging Virtio descriptors to cause out-of-bounds reads. This flaw allows an attacker with a malicious VM using a virtio driver to cause the vhost-user side to crash by sending a packet with a Tx checksum offload request and an invalid csum_start offset.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
dpdk	24.10 oracular	Fixed 23.11.2-0ubuntu1.1
	24.04 LTS noble	Fixed 23.11-1ubuntu0.1
	22.04 LTS jammy	Fixed 21.11.6-0ubuntu0.22.04.2
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected

Notes

mdeslaur

introduced by the following commit in 21.05: https://git.dpdk.org/dpdk/commit/?id=ca7036b4af3a82d258cca914e71171434b3d0320

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
dpdk	Upstream: ?id=4dc Upstream: ?id=fdf Upstream: ?id=b8e Upstream: ?id=157 Upstream: ?id=e9c

CVE-2024-11614

Status

Notes

mdeslaur

Patch details

References

Related Ubuntu Security Notices (USN)

Other references