CVE-2024-11614 - Vulnerability Details

An out-of-bounds read vulnerability was found in DPDK's Vhost library checksum offload feature. This issue enables an untrusted or compromised guest to crash the hypervisor's vSwitch by forging Virtio descriptors to cause out-of-bounds reads. This flaw allows an attacker with a malicious VM using a virtio driver to cause the vhost-user side to crash by sending a packet with a Tx checksum offload request and an invalid csum_start offset.

No CVSS v4.0

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Enterprise Linux Openshift Rhel Aus Rhel E4s Rhel Eus Rhel Tus

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
dpdk-0:23.11-2.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:0222	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
dpdk-0:21.11-3.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:0221	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
dpdk-0:21.11-3.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:0221	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
dpdk-0:21.11-3.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:0221	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
dpdk-0:21.11-4.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:0220	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 9
dpdk-2:23.11-2.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:0210	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
dpdk-2:21.11-3.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:0211	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
dpdk-2:22.11-4.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:0208	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
dpdk-2:23.11-2.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:0209	2025-01-09T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/12/17/3
https://access.redhat.com/errata/RHSA-2025:0208
https://access.redhat.com/errata/RHSA-2025:0209
https://access.redhat.com/errata/RHSA-2025:0210
https://access.redhat.com/errata/RHSA-2025:0211
https://access.redhat.com/errata/RHSA-2025:0220
https://access.redhat.com/errata/RHSA-2025:0221
https://access.redhat.com/errata/RHSA-2025:0222
https://access.redhat.com/security/cve/CVE-2024-11614
https://bugzilla.redhat.com/show_bug.cgi?id=2327955
https://nvd.nist.gov/vuln/detail/CVE-2024-11614
https://www.cve.org/CVERecord?id=CVE-2024-11614

History

Thu, 13 Feb 2025 00:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:rhel_tus:8.6

Thu, 09 Jan 2025 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_e4s:9.0::appstream
References		https://access.redhat.com/errata/RHSA-2025:0211

Thu, 09 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
CPEs	~~cpe:/o:redhat:enterprise_linux:8~~	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:8::crb cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_eus:8.8::appstream cpe:/a:redhat:rhel_tus:8.6::appstream
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:0220 https://access.redhat.com/errata/RHSA-2025:0221 https://access.redhat.com/errata/RHSA-2025:0222

Thu, 09 Jan 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:rhel_eus:9.2::appstream cpe:/a:redhat:rhel_eus:9.4::appstream
Vendors & Products		Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2025:0208 https://access.redhat.com/errata/RHSA-2025:0209 https://access.redhat.com/errata/RHSA-2025:0210

Wed, 18 Dec 2024 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Dec 2024 09:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2024/12/17/3

Wed, 18 Dec 2024 08:45:00 +0000

Type	Values Removed	Values Added
Title	dpdk: Denial Of Service from malicious guest on hypervisors using DPDK Vhost library	Dpdk: denial of service from malicious guest on hypervisors using dpdk vhost library
First Time appeared		Redhat Redhat enterprise Linux Redhat openshift
CPEs		cpe:/a:redhat:openshift:4 cpe:/o:redhat:enterprise_linux:7::fastdatapath cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:8::fastdatapath cpe:/o:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9::fastdatapath
Vendors & Products		Redhat Redhat enterprise Linux Redhat openshift
References		https://access.redhat.com/security/cve/CVE-2024-11614 https://bugzilla.redhat.com/show_bug.cgi?id=2327955

Wed, 18 Dec 2024 01:45:00 +0000

Type	Values Removed	Values Added
Description		An out-of-bounds read vulnerability was found in DPDK's Vhost library checksum offload feature. This issue enables an untrusted or compromised guest to crash the hypervisor's vSwitch by forging Virtio descriptors to cause out-of-bounds reads. This flaw allows an attacker with a malicious VM using a virtio driver to cause the vhost-user side to crash by sending a packet with a Tx checksum offload request and an invalid csum_start offset.
Title		dpdk: Denial Of Service from malicious guest on hypervisors using DPDK Vhost library
Weaknesses		CWE-125
References		https://nvd.nist.gov/vuln/detail/CVE-2024-11614 https://www.cve.org/CVERecord?id=CVE-2024-11614
Metrics	threat_severity `None`	cvssV3_0 `{'score': 7.4, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}` threat_severity `Important`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-12-18T08:30:49.729Z

Updated: 2025-01-22T10:24:19.828Z

Reserved: 2024-11-22T04:21:45.124Z

Link: CVE-2024-11614

Vulnrichment

Updated: 2024-12-18T09:03:01.520Z

NVD

Status : Awaiting Analysis

Published: 2024-12-18T09:15:06.660

Modified: 2025-01-09T19:15:17.283

Link: CVE-2024-11614

Redhat

Severity : Important

Publid Date: 2024-12-17T00:00:00Z

Links: CVE-2024-11614 - Bugzilla

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object