CVE-2021-46947: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues efx->xdp_tx_queue_count is initially initialized to num_possible_cpus() and is later used to allocate and traverse efx->xdp_tx_queues lookup array. However, we may end up not initializing all the array slots with real queues during probing. This results, for example, in a NULL pointer dereference, when running "# ethtool -S <iface>", similar to below [2570283.664955][T4126959] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [2570283.681283][T4126959] #PF: supervisor read access in kernel mode [2570283.695678][T4126959] #PF: error_code(0x0000) - not-present page [2570283.710013][T4126959] PGD 0 P4D 0 [2570283.721649][T4126959] Oops: 0000 [#1] SMP PTI [2570283.734108][T4126959] CPU: 23 PID: 4126959 Comm: ethtool Tainted: G O 5.10.20-cloudflare-2021.3.1 #1 [2570283.752641][T4126959] Hardware name: <redacted> [2570283.781408][T4126959] RIP: 0010:efx_ethtool_get_stats+0x2ca/0x330 [sfc] [2570283.796073][T4126959] Code: 00 85 c0 74 39 48 8b 95 a8 0f 00 00 48 85 d2 74 2d 31 c0 eb 07 48 8b 95 a8 0f 00 00 48 63 c8 49 83 c4 08 83 c0 01 48 8b 14 ca <48> 8b 92 f8 00 00 00 49 89 54 24 f8 39 85 a0 0f 00 00 77 d7 48 8b [2570283.831259][T4126959] RSP: 0018:ffffb79a77657ce8 EFLAGS: 00010202 [2570283.845121][T4126959] RAX: 0000000000000019 RBX: ffffb799cd0c9280 RCX: 0000000000000018 [2570283.860872][T4126959] RDX: 0000000000000000 RSI: ffff96dd970ce000 RDI: 0000000000000005 [2570283.876525][T4126959] RBP: ffff96dd86f0a000 R08: ffff96dd970ce480 R09: 000000000000005f [2570283.892014][T4126959] R10: ffffb799cd0c9fff R11: ffffb799cd0c9000 R12: ffffb799cd0c94f8 [2570283.907406][T4126959] R13: ffffffffc11b1090 R14: ffff96dd970ce000 R15: ffffffffc11cd66c [2570283.922705][T4126959] FS: 00007fa7723f8740(0000) GS:ffff96f51fac0000(0000) knlGS:0000000000000000 [2570283.938848][T4126959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2570283.952524][T4126959] CR2: 00000000000000f8 CR3: 0000001a73e6e006 CR4: 00000000007706e0 [2570283.967529][T4126959] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [2570283.982400][T4126959] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [2570283.997308][T4126959] PKRU: 55555554 [2570284.007649][T4126959] Call Trace: [2570284.017598][T4126959] dev_ethtool+0x1832/0x2830 Fix this by adjusting efx->xdp_tx_queue_count after probing to reflect the true value of initialized slots in efx->xdp_tx_queues.
AI Analysis
Technical Summary
CVE-2021-46947 is a vulnerability identified in the Linux kernel's sfc driver, which is responsible for managing Solarflare network interface cards. The issue arises from improper handling of the efx->xdp_tx_queue_count variable, which is initially set to the number of possible CPUs but does not accurately reflect the actual number of initialized transmit queues after device probing. This discrepancy leads to the allocation and traversal of the efx->xdp_tx_queues array beyond its initialized bounds. Consequently, when certain operations such as invoking "ethtool -S <iface>" are performed to retrieve network statistics, the kernel may dereference NULL pointers, causing a kernel oops and system crash. The vulnerability manifests as a NULL pointer dereference in kernel mode, leading to a denial-of-service (DoS) condition by crashing the affected system. The root cause is a logic error in the driver code where the queue count is not adjusted post-probing to match the actual initialized queues, resulting in unsafe memory access. This vulnerability affects Linux kernel versions including the specified commit e26ca4b535820b1445dcef3c0f82b3fb5b45108b and potentially others using the sfc driver. Although no known exploits are currently reported in the wild, the vulnerability can be triggered locally by users with access to the ethtool utility and appropriate permissions to query network interface statistics. The fix involves adjusting the efx->xdp_tx_queue_count variable after device probing to accurately represent the number of initialized transmit queues, preventing out-of-bounds array access and subsequent kernel crashes.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial-of-service on Linux systems utilizing Solarflare network cards managed by the sfc driver. Organizations running critical infrastructure, data centers, or cloud services on affected Linux kernels may experience system instability or crashes when network statistics are queried or under specific network management operations. This could lead to service interruptions, impacting availability of networked applications and services. While the vulnerability does not directly enable privilege escalation or remote code execution, the resulting kernel crashes could be exploited by malicious insiders or attackers with local access to disrupt operations. In sectors such as finance, telecommunications, and government services where high availability and network reliability are paramount, even transient outages caused by kernel panics can have significant operational and reputational consequences. Additionally, the need to apply kernel patches or upgrade Linux distributions to remediate this issue may require planned maintenance windows, potentially impacting service continuity. Since the vulnerability requires local access and specific hardware, its impact is limited to environments using affected network cards, but given the widespread use of Linux in European enterprise and cloud environments, the risk remains relevant.
Mitigation Recommendations
European organizations should take the following specific actions to mitigate CVE-2021-46947: 1) Identify systems running Linux kernels with the sfc driver managing Solarflare network cards. This can be done by checking kernel module usage and hardware inventories. 2) Apply the vendor-provided patches or upgrade to Linux kernel versions where the efx->xdp_tx_queue_count adjustment fix is included. Since no patch links are provided, organizations should monitor official Linux kernel repositories and distribution advisories for updates. 3) Restrict access to ethtool and similar network diagnostic utilities to trusted administrators only, minimizing the risk of local exploitation. 4) Implement monitoring to detect kernel oops or crashes related to the sfc driver, enabling rapid response to potential exploitation attempts. 5) For environments where immediate patching is not feasible, consider disabling or unloading the sfc driver if the hardware is not critical or can be temporarily replaced. 6) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely updates and validation of fixes. 7) Incorporate this vulnerability into vulnerability management and incident response plans to ensure awareness and preparedness.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Belgium, Italy
CVE-2021-46947: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues efx->xdp_tx_queue_count is initially initialized to num_possible_cpus() and is later used to allocate and traverse efx->xdp_tx_queues lookup array. However, we may end up not initializing all the array slots with real queues during probing. This results, for example, in a NULL pointer dereference, when running "# ethtool -S <iface>", similar to below [2570283.664955][T4126959] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [2570283.681283][T4126959] #PF: supervisor read access in kernel mode [2570283.695678][T4126959] #PF: error_code(0x0000) - not-present page [2570283.710013][T4126959] PGD 0 P4D 0 [2570283.721649][T4126959] Oops: 0000 [#1] SMP PTI [2570283.734108][T4126959] CPU: 23 PID: 4126959 Comm: ethtool Tainted: G O 5.10.20-cloudflare-2021.3.1 #1 [2570283.752641][T4126959] Hardware name: <redacted> [2570283.781408][T4126959] RIP: 0010:efx_ethtool_get_stats+0x2ca/0x330 [sfc] [2570283.796073][T4126959] Code: 00 85 c0 74 39 48 8b 95 a8 0f 00 00 48 85 d2 74 2d 31 c0 eb 07 48 8b 95 a8 0f 00 00 48 63 c8 49 83 c4 08 83 c0 01 48 8b 14 ca <48> 8b 92 f8 00 00 00 49 89 54 24 f8 39 85 a0 0f 00 00 77 d7 48 8b [2570283.831259][T4126959] RSP: 0018:ffffb79a77657ce8 EFLAGS: 00010202 [2570283.845121][T4126959] RAX: 0000000000000019 RBX: ffffb799cd0c9280 RCX: 0000000000000018 [2570283.860872][T4126959] RDX: 0000000000000000 RSI: ffff96dd970ce000 RDI: 0000000000000005 [2570283.876525][T4126959] RBP: ffff96dd86f0a000 R08: ffff96dd970ce480 R09: 000000000000005f [2570283.892014][T4126959] R10: ffffb799cd0c9fff R11: ffffb799cd0c9000 R12: ffffb799cd0c94f8 [2570283.907406][T4126959] R13: ffffffffc11b1090 R14: ffff96dd970ce000 R15: ffffffffc11cd66c [2570283.922705][T4126959] FS: 00007fa7723f8740(0000) GS:ffff96f51fac0000(0000) knlGS:0000000000000000 [2570283.938848][T4126959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2570283.952524][T4126959] CR2: 00000000000000f8 CR3: 0000001a73e6e006 CR4: 00000000007706e0 [2570283.967529][T4126959] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [2570283.982400][T4126959] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [2570283.997308][T4126959] PKRU: 55555554 [2570284.007649][T4126959] Call Trace: [2570284.017598][T4126959] dev_ethtool+0x1832/0x2830 Fix this by adjusting efx->xdp_tx_queue_count after probing to reflect the true value of initialized slots in efx->xdp_tx_queues.
AI-Powered Analysis
Technical Analysis
CVE-2021-46947 is a vulnerability identified in the Linux kernel's sfc driver, which is responsible for managing Solarflare network interface cards. The issue arises from improper handling of the efx->xdp_tx_queue_count variable, which is initially set to the number of possible CPUs but does not accurately reflect the actual number of initialized transmit queues after device probing. This discrepancy leads to the allocation and traversal of the efx->xdp_tx_queues array beyond its initialized bounds. Consequently, when certain operations such as invoking "ethtool -S <iface>" are performed to retrieve network statistics, the kernel may dereference NULL pointers, causing a kernel oops and system crash. The vulnerability manifests as a NULL pointer dereference in kernel mode, leading to a denial-of-service (DoS) condition by crashing the affected system. The root cause is a logic error in the driver code where the queue count is not adjusted post-probing to match the actual initialized queues, resulting in unsafe memory access. This vulnerability affects Linux kernel versions including the specified commit e26ca4b535820b1445dcef3c0f82b3fb5b45108b and potentially others using the sfc driver. Although no known exploits are currently reported in the wild, the vulnerability can be triggered locally by users with access to the ethtool utility and appropriate permissions to query network interface statistics. The fix involves adjusting the efx->xdp_tx_queue_count variable after device probing to accurately represent the number of initialized transmit queues, preventing out-of-bounds array access and subsequent kernel crashes.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial-of-service on Linux systems utilizing Solarflare network cards managed by the sfc driver. Organizations running critical infrastructure, data centers, or cloud services on affected Linux kernels may experience system instability or crashes when network statistics are queried or under specific network management operations. This could lead to service interruptions, impacting availability of networked applications and services. While the vulnerability does not directly enable privilege escalation or remote code execution, the resulting kernel crashes could be exploited by malicious insiders or attackers with local access to disrupt operations. In sectors such as finance, telecommunications, and government services where high availability and network reliability are paramount, even transient outages caused by kernel panics can have significant operational and reputational consequences. Additionally, the need to apply kernel patches or upgrade Linux distributions to remediate this issue may require planned maintenance windows, potentially impacting service continuity. Since the vulnerability requires local access and specific hardware, its impact is limited to environments using affected network cards, but given the widespread use of Linux in European enterprise and cloud environments, the risk remains relevant.
Mitigation Recommendations
European organizations should take the following specific actions to mitigate CVE-2021-46947: 1) Identify systems running Linux kernels with the sfc driver managing Solarflare network cards. This can be done by checking kernel module usage and hardware inventories. 2) Apply the vendor-provided patches or upgrade to Linux kernel versions where the efx->xdp_tx_queue_count adjustment fix is included. Since no patch links are provided, organizations should monitor official Linux kernel repositories and distribution advisories for updates. 3) Restrict access to ethtool and similar network diagnostic utilities to trusted administrators only, minimizing the risk of local exploitation. 4) Implement monitoring to detect kernel oops or crashes related to the sfc driver, enabling rapid response to potential exploitation attempts. 5) For environments where immediate patching is not feasible, consider disabling or unloading the sfc driver if the hardware is not critical or can be temporarily replaced. 6) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely updates and validation of fixes. 7) Incorporate this vulnerability into vulnerability management and incident response plans to ensure awareness and preparedness.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:45:52.722Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea7d6
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 9:24:15 AM
Last updated: 8/11/2025, 7:18:16 AM
Views: 12
Related Threats
CVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighCVE-2025-40766: CWE-400: Uncontrolled Resource Consumption in Siemens SINEC Traffic Analyzer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.