CVE-2024-11614
📋 TL;DR
This CVE-2024-11614 is an out-of-bounds read vulnerability in DPDK's Vhost library checksum offload feature. It allows a malicious virtual machine using a virtio driver to crash the hypervisor's vSwitch by sending specially crafted packets with invalid checksum offsets. This affects systems using DPDK with vhost-user networking and untrusted or compromised guest VMs.
💻 Affected Systems
- DPDK (Data Plane Development Kit)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service of the hypervisor's virtual switch, disrupting network connectivity for all VMs on the affected host.
Likely Case
Targeted crash of the vhost-user process, causing network disruption for affected VMs until service is restored.
If Mitigated
Minimal impact if proper network segmentation and VM isolation are implemented, limiting blast radius.
🎯 Exploit Status
Exploitation requires control of a guest VM to forge malicious Virtio descriptors. The vulnerability is in the hypervisor-side vhost library processing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Red Hat advisories RHSA-2025:0208 through RHSA-2025:0220 for specific patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:0208
Restart Required: Yes
Instructions:
1. Identify affected DPDK packages on your system. 2. Apply relevant Red Hat security updates for your distribution. 3. Restart affected services or reboot the host to load patched libraries.
🔧 Temporary Workarounds
Disable checksum offload
linuxDisable Tx checksum offload feature in vhost-user configuration to prevent exploitation
# Configure DPDK to disable checksum offload in vhost settings
# Exact commands depend on your DPDK deployment configuration
Isolate untrusted VMs
allSegment network and restrict VM-to-hypervisor communication for untrusted workloads
🧯 If You Can't Patch
- Implement strict VM isolation and network segmentation to limit potential attack surface
- Monitor for abnormal vhost process crashes and implement rapid response procedures
🔍 How to Verify
Check if Vulnerable:
Check DPDK version and verify if vhost-user with checksum offload is enabled in your configurationCheck Version:
rpm -qa | grep dpdk # For RHEL-based systemsVerify Fix Applied:
Verify DPDK packages have been updated to versions specified in Red Hat advisories and test with legitimate checksum offload requests📡 Detection & Monitoring
Log Indicators:
- Unexpected crashes or restarts of vhost-user processes
- Kernel logs showing memory access violations in DPDK components
Network Indicators:
- Sudden loss of network connectivity for VMs on affected hosts
- Abnormal packet patterns from VMs attempting checksum offload
SIEM Query:
Process crashes with 'dpdk' or 'vhost' in process name AND source from VM network interfaces🔗 References
- https://access.redhat.com/errata/RHSA-2025:0208
- https://access.redhat.com/errata/RHSA-2025:0209
- https://access.redhat.com/errata/RHSA-2025:0210
- https://access.redhat.com/errata/RHSA-2025:0211
- https://access.redhat.com/errata/RHSA-2025:0220
- https://access.redhat.com/errata/RHSA-2025:0221
- https://access.redhat.com/errata/RHSA-2025:0222
- https://access.redhat.com/errata/RHSA-2025:3963
- https://access.redhat.com/errata/RHSA-2025:3964
- https://access.redhat.com/errata/RHSA-2025:3965
- https://access.redhat.com/errata/RHSA-2025:3970
- https://access.redhat.com/security/cve/CVE-2024-11614
- https://bugzilla.redhat.com/show_bug.cgi?id=2327955
- http://www.openwall.com/lists/oss-security/2024/12/17/3
