CVE-2020-14378

EUVD-2020-6518

30.09.2020, 19:15

An integer underflow in dpdk versions before 18.11.10 and before 19.11.5 in the `move_desc` function can lead to large amounts of CPU cycles being eaten up in a long running loop. An attacker could cause `move_desc` to get stuck in a 4,294,967,295-count iteration loop. Depending on how `vhost_crypto` is being used this could prevent other VMs or network tasks from being serviced by the busy DPDK lcore for an extended period.

Wrap or Wraparound

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.3 LOW	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Affected Products (NVD)

Vendor	Product	Version
dpdk	data_plane_development_kit	18.02.1 ≤ 𝑥 < 18.11.10
dpdk	data_plane_development_kit	19.02 ≤ 𝑥 < 19.11.5
canonical	ubuntu_linux	20.04
opensuse	leap	15.1
opensuse	leap	15.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

dpdk

bookworm	22.11.5-1~deb12u1 fixed
bullseye	20.11.10-1~deb11u1 fixed
bullseye (security)	20.11.6-1~deb11u1 fixed
sid	23.11.2-2 fixed
stretch	not-affected
trixie	23.11.2-2 fixed