CVE-2022-3643

Name: CVE-2022-3643
Creator: NVD / NIST
Published: 2022-12-07T01:15:11.207+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.46%

Last modified Jun 17, 2026

CVE-2022-3643 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. EPSS estimates a 0.46% chance of exploitation in the next 30 days.

Description

Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

EPSS Probability

0.46%

36.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-74

Affected Software

Vendor	Product	Versions
Linux	Linux Kernel	>= 3.19, < 4.9.336
Linux	Linux Kernel	>= 4.10, < 4.14.302
Linux	Linux Kernel	>= 4.15, < 4.19.269
Linux	Linux Kernel	>= 4.20, < 5.4.227
Linux	Linux Kernel	>= 5.5, < 5.10.159
Linux	Linux Kernel	>= 5.11, < 5.15.83
Linux	Linux Kernel	>= 5.16, < 6.0.13
Debian	Debian Linux	10.0

References

http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html
http://www.openwall.com/lists/oss-security/2022/12/07/2Mailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00031.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00034.htmlMailing List, Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-423.txtVendor Advisory
http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html
http://www.openwall.com/lists/oss-security/2022/12/07/2Mailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00031.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00034.htmlMailing List, Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-423.txtVendor Advisory

Timeline

Published: Dec 7, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-3643?

How severe is CVE-2022-3643?

CVE-2022-3643 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.46% probability of exploitation in the next 30 days.

How do I fix CVE-2022-3643?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-3643?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST