CVE-2022-28199: 
Rocky Linux vulnerability analysis and mitigation

NVIDIA's Data Plane Development Kit (MLNXDPDK) was found to contain a vulnerability (CVE-2022-28199) in its network stack where error recovery is not handled properly. The vulnerability was initially disclosed on August 29, 2022, affecting MLNXDPDK versions from mlnxdpdk19.111.. through mlnxdpdk20.111.0.0-4.. on both Linux and Windows operating systems (NVIDIA Security).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a network-accessible vulnerability with low attack complexity and requiring low privileges. The weakness type is classified as CWE-20 Improper Input Validation (NVIDIA Security).

When exploited, this vulnerability can allow a remote attacker to cause denial of service (DoS) conditions and potentially impact data integrity and confidentiality. In specific cases, such as with Cisco Catalyst 8000V Edge Software, the device may either reload or fail to receive traffic, resulting in a denial of service condition (Cisco Advisory).

NVIDIA has released a software update to address this vulnerability, with the fixed version being mlnxdpdk20.115.0.0. Users are advised to contact their NVIDIA representative to obtain the updated version. For affected Cisco Catalyst 8000V Edge Software, a temporary recovery mechanism exists through the shut/no shut interface commands ([NVIDIA Security](https://nvidia.custhelp.com/app/answers/detail/aid/5389), Cisco Advisory).

Several major vendors have responded to this vulnerability. Palo Alto Networks evaluated the vulnerability and determined that while their VM-Series firewalls use the affected NVIDIA DPDK module on PAN-OS 10.1 and later versions, there are no scenarios that enable successful exploitation in their PAN-OS software (Palo Alto).