diff --git a/backport-0001-CVE-2022-2132.patch b/backport-0001-CVE-2022-2132.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0e50238c0dd1d3f2df461cd8ca21b523321ec551
--- /dev/null
+++ b/backport-0001-CVE-2022-2132.patch
@@ -0,0 +1,102 @@
+From e12d415556994d0901c317f6338ed2961185465f Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Thu, 16 Jun 2022 14:25:07 +0200
+Subject: [PATCH] vhost: fix header spanned across more than two descriptors
+
+[ upstream commit dc1516e260a0df272b218392faf6db3cbf45e717 ]
+
+This patch aims at supporting the unlikely case where a
+Virtio-net header is spanned across more than two
+descriptors.
+
+CVE-2022-2132
+Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
+
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Acked-by: Chenbo Xia <chenbo.xia@intel.com>
+Reviewed-by: David Marchand <david.marchand@redhat.com>
+---
+ lib/vhost/virtio_net.c | 41 +++++++++++++----------------------------
+ 1 file changed, 13 insertions(+), 28 deletions(-)
+
+diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
+index 991a7a2bd4..bf4d75b4bd 100644
+--- a/lib/vhost/virtio_net.c
++++ b/lib/vhost/virtio_net.c
+@@ -2322,25 +2322,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ 	uint32_t buf_avail, buf_offset;
+ 	uint64_t buf_addr, buf_len;
+ 	uint32_t mbuf_avail, mbuf_offset;
++	uint32_t hdr_remain = dev->vhost_hlen;
+ 	uint32_t cpy_len;
+ 	struct rte_mbuf *cur = m, *prev = m;
+ 	struct virtio_net_hdr tmp_hdr;
+ 	struct virtio_net_hdr *hdr = NULL;
+-	/* A counter to avoid desc dead loop chain */
+-	uint16_t vec_idx = 0;
++	uint16_t vec_idx;
+ 	struct batch_copy_elem *batch_copy = vq->batch_copy_elems;
+ 	int error = 0;
+ 
+-	buf_addr = buf_vec[vec_idx].buf_addr;
+-	buf_len = buf_vec[vec_idx].buf_len;
+-
+ 	if (unlikely(buf_len < dev->vhost_hlen && nr_vec <= 1)) {
+ 		error = -1;
+ 		goto out;
+ 	}
+ 
+ 	if (virtio_net_with_host_offload(dev)) {
+-		if (unlikely(buf_len < sizeof(struct virtio_net_hdr))) {
++		if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) {
+ 			/*
+ 			 * No luck, the virtio-net header doesn't fit
+ 			 * in a contiguous virtual area.
+@@ -2348,34 +2345,22 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ 			copy_vnet_hdr_from_desc(&tmp_hdr, buf_vec);
+ 			hdr = &tmp_hdr;
+ 		} else {
+-			hdr = (struct virtio_net_hdr *)((uintptr_t)buf_addr);
++			hdr = (struct virtio_net_hdr *)((uintptr_t)buf_vec[0].buf_addr);
+ 		}
+ 	}
+ 
+-	/*
+-	 * A virtio driver normally uses at least 2 desc buffers
+-	 * for Tx: the first for storing the header, and others
+-	 * for storing the data.
+-	 */
+-	if (unlikely(buf_len < dev->vhost_hlen)) {
+-		buf_offset = dev->vhost_hlen - buf_len;
+-		vec_idx++;
+-		buf_addr = buf_vec[vec_idx].buf_addr;
+-		buf_len = buf_vec[vec_idx].buf_len;
+-		buf_avail  = buf_len - buf_offset;
+-	} else if (buf_len == dev->vhost_hlen) {
+-		if (unlikely(++vec_idx >= nr_vec))
+-			goto out;
+-		buf_addr = buf_vec[vec_idx].buf_addr;
+-		buf_len = buf_vec[vec_idx].buf_len;
++	for (vec_idx = 0; vec_idx < nr_vec; vec_idx++) {
++		if (buf_vec[vec_idx].buf_len > hdr_remain)
++			break;
+ 
+-		buf_offset = 0;
+-		buf_avail = buf_len;
+-	} else {
+-		buf_offset = dev->vhost_hlen;
+-		buf_avail = buf_vec[vec_idx].buf_len - dev->vhost_hlen;
++		hdr_remain -= buf_vec[vec_idx].buf_len;
+ 	}
+ 
++	buf_addr = buf_vec[vec_idx].buf_addr;
++	buf_len = buf_vec[vec_idx].buf_len;
++	buf_offset = hdr_remain;
++	buf_avail = buf_vec[vec_idx].buf_len - hdr_remain;
++
+ 	PRINT_PACKET(dev,
+ 			(uintptr_t)(buf_addr + buf_offset),
+ 			(uint32_t)buf_avail, 0);
+-- 
+2.23.0
+
diff --git a/backport-0002-CVE-2022-2132.patch b/backport-0002-CVE-2022-2132.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7c1ca478b9a77e64322cf3f7693ee6df8dade739
--- /dev/null
+++ b/backport-0002-CVE-2022-2132.patch
@@ -0,0 +1,77 @@
+From f167022606b5ccca27a627ae599538ce2348ef67 Mon Sep 17 00:00:00 2001
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+Date: Thu, 16 Jun 2022 11:35:56 +0200
+Subject: [PATCH] vhost: discard too small descriptor chains
+
+[ upstream commit 71bd0cc536ad6d84188d947d6f24c17400d8f623 ]
+
+This patch discards descriptor chains which are smaller
+than the Virtio-net header size, and ones that are equal.
+
+Indeed, such descriptor chains sizes mean there is no
+packet data.
+
+This patch also has the advantage of requesting the exact
+packets sizes for the mbufs.
+
+CVE-2022-2132
+Fixes: 62250c1d0978 ("vhost: extract split ring handling from Rx and Tx functions")
+Fixes: c3ff0ac70acb ("vhost: improve performance by supporting large buffer")
+Fixes: 84d5204310d7 ("vhost: support async dequeue for split ring")
+
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Acked-by: Chenbo Xia <chenbo.xia@intel.com>
+Reviewed-by: David Marchand <david.marchand@redhat.com>
+---
+ lib/vhost/virtio_net.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
+index 858187d1b0..991a7a2bd4 100644
+--- a/lib/vhost/virtio_net.c
++++ b/lib/vhost/virtio_net.c
+@@ -2334,10 +2334,10 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ 	struct batch_copy_elem *batch_copy = vq->batch_copy_elems;
+ 	int error = 0;
+ 
+-	if (unlikely(buf_len < dev->vhost_hlen && nr_vec <= 1)) {
+-		error = -1;
+-		goto out;
+-	}
++	/*
++	 * The caller has checked the descriptors chain is larger than the
++	 * header size.
++	 */
+ 
+ 	if (virtio_net_with_host_offload(dev)) {
+ 		if (unlikely(buf_vec[0].buf_len < sizeof(struct virtio_net_hdr))) {
+@@ -2568,6 +2568,14 @@ virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+ 
+ 		update_shadow_used_ring_split(vq, head_idx, 0);
+ 
++		if (unlikely(buf_len <= dev->vhost_hlen)) {
++			dropped += 1;
++			i++;
++			break;
++		}
++
++		buf_len -= dev->vhost_hlen;
++
+ 		err = virtio_dev_pktmbuf_prep(dev, pkts[i], buf_len);
+ 		if (unlikely(err)) {
+ 			/*
+@@ -2771,6 +2779,11 @@ vhost_dequeue_single_packed(struct virtio_net *dev,
+ 					 VHOST_ACCESS_RO) < 0))
+ 		return -1;
+ 
++	if (unlikely(buf_len <= dev->vhost_hlen))
++		return -1;
++
++	buf_len -= dev->vhost_hlen;
++
+ 	if (unlikely(virtio_dev_pktmbuf_prep(dev, pkts, buf_len))) {
+ 		if (!allocerr_warned) {
+ 			VHOST_LOG_DATA(ERR,
+-- 
+2.23.0
+
diff --git a/dpdk.spec b/dpdk.spec
index 7c8a7047f1f80d2817d94abbe62e80eae9bbe20c..7401fdf49ea55f56a2c889489095797dda46d844 100644
--- a/dpdk.spec
+++ b/dpdk.spec
@@ -1,6 +1,6 @@
 Name: dpdk
 Version: 21.11
-Release: 14
+Release: 15
 Packager: packaging@6wind.com
 URL: http://dpdk.org
 %global source_version  21.11
@@ -131,7 +131,8 @@ Patch9122:    0122-app-testpmd-fix-bonding-slave-devices-not-released.patch
 
 Patch6001:    CVE-2021-3839.patch
 Patch6002:    CVE-2022-0669.patch
-
+Patch6003:    backport-0001-CVE-2022-2132.patch
+Patch6004:    backport-0002-CVE-2022-2132.patch
 
 Summary: Data Plane Development Kit core
 Group: System Environment/Libraries
@@ -253,6 +254,9 @@ strip -g $RPM_BUILD_ROOT/lib/modules/%{kern_devel_ver}/extra/dpdk/igb_uio.ko
 /usr/sbin/depmod
 
 %changelog
+* Thu Sep 08 2022 jiangheng <jiangheng14@huawei.com> - 21.11-15
+- fix CVE-2022-2132
+
 * Thu Jul 07 2022 Honggang Li <honggangli@163.com> - 21.11-14
 - Remove duplicated BuildRequires python-pyelftools