Maxime Coquelin

**Name of the Vulnerable Software and Affected Versions** DPDK's Vhost library (affected versions not specified) **Description** An out-of-bounds read issue was found in the checksum offload feature of DPDK's Vhost library. This allows an untrusted or compromised guest to crash the hypervisor's vSwitch by forging Virtio descriptors, causing out-of-bounds reads. An attacker with a malicious VM using a Virtio driver can crash the vhost-user side by sending a packet with a Tx checksum offload request and an invalid `csum start` offset. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: DPDK versions prior to 18.02.1 Description: The issue arises from the DPDK vhost-user interface not verifying that the requested guest physical range is mapped and contiguous during Guest Physical Addresses to Host Virtual Addresses translations. This could allow a malicious guest to expose vhost-user backend process memory. Recommendations: For versions prior to 18.02.1, update to version 18.02.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vhost-user interface to minimize the risk of exploitation.