CVE-2022-2132: 
Rocky Linux vulnerability analysis and mitigation

A permissive list of allowed inputs flaw was discovered in DPDK (Data Plane Development Kit) identified as CVE-2022-2132. The vulnerability was discovered on June 9, 2022, and publicly disclosed on August 29, 2022. This security issue affects the vhost code in DPDK, which allows a remote attacker to cause a denial of service by sending a crafted Vhost header (DPDK Bug, NVD).

The vulnerability exists in the copydesctombuf function where the vhost header was incorrectly assumed to not span more than two descriptors. When a malicious guest sends a packet with the vhost header crossing more than two descriptors, the bufavail variable overflows to a very large number (approximately 4GB). This results in an attempt to allocate all available mbufs, leading to resource exhaustion (DPDK Bug). The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H (Ubuntu).

When exploited, this vulnerability can cause a complete denial of service condition where other guests' traffic becomes blocked due to the exhaustion of all available mbufs. This effectively impacts the availability of the system for other guests running on the hypervisor (DPDK Bug, Debian Security).

The vulnerability has been fixed in multiple DPDK versions: 21.11.2, 20.11.6, and 19.11.13. Various Linux distributions have also released security updates to address this issue. Users are strongly recommended to upgrade to the patched versions (DPDK Bug, Red Hat).