Executive Summary

Name CVE-2021-28714 First vendor Publication 2022-01-06
Vendor Cve Last vendor Modification 2022-04-18

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Overall CVSS Score 6.5
Base Score 6.5 Environmental Score 6.5
impact SubScore 4 Temporal Score 6.5
Exploitabality Sub Score 2
Attack Vector Local Attack Complexity Low
Privileges Required Low User Interaction None
Scope Changed Confidentiality Impact None
Integrity Impact None Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 2.1 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Guest can force Linux netback driver to hog large amounts of kernel memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time. (CVE-2021-28715) The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing. (CVE-2021-28714)

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28714

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-404 Improper Resource Shutdown or Release

CPE : Common Platform Enumeration

Application 15
Os 2
Os 3422

Sources (Detail)

Source Url
DEBIAN https://www.debian.org/security/2022/dsa-5050
MISC https://xenbits.xenproject.org/xsa/advisory-392.txt
MLIST https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html

Alert History

If you want to see full details history, please login or register.
Date Informations
2022-04-18 21:23:09
  • Multiple Updates
2022-03-31 01:55:06
  • Multiple Updates
2022-03-10 21:23:18
  • Multiple Updates
2022-02-26 01:53:31
  • Multiple Updates
2022-02-01 01:50:17
  • Multiple Updates
2022-01-28 17:23:16
  • Multiple Updates
2022-01-22 00:23:07
  • Multiple Updates
2022-01-18 21:23:00
  • Multiple Updates
2022-01-07 00:22:55
  • Multiple Updates
2022-01-06 21:22:54
  • First insertion