Bug 2158198 (CVE-2022-3643) - CVE-2022-3643 Xen Security Advisory 423 v1: Guests can trigger NIC interface reset/abort/crash via netback
Summary: CVE-2022-3643 Xen Security Advisory 423 v1: Guests can trigger NIC interface ...
Alias: CVE-2022-3643
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2158199
Blocks: 2151870
TreeView+ depends on / blocked
Reported: 2023-01-04 15:37 UTC by Alex
Modified: 2023-01-18 14:56 UTC (History)
52 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A possible reset/abort/crash flaw was found in the Linux kernel’s XEN driver when sending certain kinds of packets. This flaw allows a local user to crash the system.
Clone Of:
Last Closed: 2023-01-06 10:32:17 UTC

Attachments (Terms of Use)

Description Alex 2023-01-04 15:37:44 UTC
Guests can trigger NIC interface reset/abort/crash via netback. It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.


Comment 1 Alex 2023-01-04 15:38:15 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2158199]

Comment 7 Product Security DevOps Team 2023-01-06 10:32:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 8 Justin M. Forbes 2023-01-18 14:56:00 UTC
This was fixed for Fedora with the 6.0.13 stable kernel updates.

Note You need to log in before you can comment on or make changes to this bug.