CVE-2021-47399: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup The ixgbe driver currently generates a NULL pointer dereference with some machine (online cpus < 63). This is due to the fact that the maximum value of num_xdp_queues is nr_cpu_ids. Code is in "ixgbe_set_rss_queues"". Here's how the problem repeats itself: Some machine (online cpus < 63), And user set num_queues to 63 through ethtool. Code is in the "ixgbe_set_channels", adapter->ring_feature[RING_F_FDIR].limit = count; It becomes 63. When user use xdp, "ixgbe_set_rss_queues" will set queues num. adapter->num_rx_queues = rss_i; adapter->num_tx_queues = rss_i; adapter->num_xdp_queues = ixgbe_xdp_queues(adapter); And rss_i's value is from f = &adapter->ring_feature[RING_F_FDIR]; rss_i = f->indices = f->limit; So "num_rx_queues" > "num_xdp_queues", when run to "ixgbe_xdp_setup", for (i = 0; i < adapter->num_rx_queues; i++) if (adapter->xdp_ring[i]->xsk_umem) It leads to panic. Call trace: [exception RIP: ixgbe_xdp+368] RIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297 RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90 RBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000 R10: ffff9fe16202f830 R11: 0000000000000000 R12: ffff92f8f24c0000 R13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc 8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808 9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235 10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384 11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd 12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb 13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88 14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319 15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290 16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8 17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64 18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9 19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c So I fix ixgbe_max_channels so that it will not allow a setting of queues to be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup, take the smaller value of num_rx_queues and num_xdp_queues.
AI Analysis
Technical Summary
CVE-2021-47399 is a vulnerability in the Linux kernel's ixgbe network driver, which is responsible for managing Intel 10 Gigabit Ethernet network interfaces. The issue arises from improper handling of queue numbers related to XDP (eXpress Data Path) setup in systems with fewer than 63 online CPUs. Specifically, the vulnerability is triggered when a user sets the number of queues to 63 via the ethtool utility, exceeding the actual number of online CPUs (num_online_cpus). The ixgbe driver maintains several queue counts: num_rx_queues, num_tx_queues, and num_xdp_queues. Due to a logic flaw, num_rx_queues can be set higher than num_xdp_queues, leading to a NULL pointer dereference during the execution of the ixgbe_xdp_setup function. This dereference occurs when the driver attempts to access xdp_ring elements beyond the allocated range, resulting in a kernel panic and system crash. The vulnerability is rooted in the incorrect calculation and validation of queue limits, specifically in the functions ixgbe_set_channels and ixgbe_set_rss_queues, where the ring_feature limit is set to 63 without proper bounds checking against the number of online CPUs. The fix involves adjusting ixgbe_max_channels to ensure the number of queues cannot exceed num_online_cpus and modifying ixgbe_xdp_setup to use the smaller value between num_rx_queues and num_xdp_queues, preventing out-of-bounds access. This vulnerability does not require user interaction beyond setting queue parameters via ethtool and can be triggered locally by users with sufficient privileges to configure network interfaces. No known exploits are currently reported in the wild, and the vulnerability affects Linux kernel versions containing the ixgbe driver prior to the patch date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running Linux with Intel 10 Gigabit Ethernet adapters using the ixgbe driver. The impact includes potential denial of service (DoS) due to kernel panics, leading to system crashes and network outages. This can disrupt critical services, especially in data centers, cloud providers, telecommunications, and enterprises relying on high-performance networking. Confidentiality and integrity are less directly impacted since the flaw causes crashes rather than unauthorized data access or modification. However, availability degradation can have cascading effects on business operations, service level agreements, and regulatory compliance, particularly in sectors like finance, healthcare, and public administration. The vulnerability requires local administrative privileges to exploit, limiting remote attack vectors but increasing risk from insider threats or compromised accounts. Given the widespread use of Linux in European IT infrastructure and the prevalence of Intel network hardware, the vulnerability could affect a broad range of organizations if unpatched. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is publicly disclosed.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2021-47399. Specifically, update the kernel to versions where ixgbe_max_channels is corrected to limit queue settings to the number of online CPUs and ixgbe_xdp_setup properly bounds queue usage. Network administrators should audit and restrict the use of ethtool commands that modify queue parameters, limiting such operations to trusted administrators only. Implement monitoring for kernel panics and unusual network interface configurations to detect potential exploitation attempts. For environments where immediate patching is not feasible, consider disabling XDP features on affected interfaces as a temporary workaround to prevent triggering the vulnerability. Additionally, review and enforce strict access controls on systems with Intel 10GbE adapters to prevent unauthorized local configuration changes. Regularly update and test incident response plans to handle potential DoS events caused by this or similar vulnerabilities. Finally, maintain awareness of vendor advisories and Linux kernel updates to ensure timely application of security fixes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47399: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup The ixgbe driver currently generates a NULL pointer dereference with some machine (online cpus < 63). This is due to the fact that the maximum value of num_xdp_queues is nr_cpu_ids. Code is in "ixgbe_set_rss_queues"". Here's how the problem repeats itself: Some machine (online cpus < 63), And user set num_queues to 63 through ethtool. Code is in the "ixgbe_set_channels", adapter->ring_feature[RING_F_FDIR].limit = count; It becomes 63. When user use xdp, "ixgbe_set_rss_queues" will set queues num. adapter->num_rx_queues = rss_i; adapter->num_tx_queues = rss_i; adapter->num_xdp_queues = ixgbe_xdp_queues(adapter); And rss_i's value is from f = &adapter->ring_feature[RING_F_FDIR]; rss_i = f->indices = f->limit; So "num_rx_queues" > "num_xdp_queues", when run to "ixgbe_xdp_setup", for (i = 0; i < adapter->num_rx_queues; i++) if (adapter->xdp_ring[i]->xsk_umem) It leads to panic. Call trace: [exception RIP: ixgbe_xdp+368] RIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297 RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90 RBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000 R10: ffff9fe16202f830 R11: 0000000000000000 R12: ffff92f8f24c0000 R13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc 8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808 9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235 10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384 11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd 12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb 13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88 14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319 15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290 16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8 17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64 18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9 19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c So I fix ixgbe_max_channels so that it will not allow a setting of queues to be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup, take the smaller value of num_rx_queues and num_xdp_queues.
AI-Powered Analysis
Technical Analysis
CVE-2021-47399 is a vulnerability in the Linux kernel's ixgbe network driver, which is responsible for managing Intel 10 Gigabit Ethernet network interfaces. The issue arises from improper handling of queue numbers related to XDP (eXpress Data Path) setup in systems with fewer than 63 online CPUs. Specifically, the vulnerability is triggered when a user sets the number of queues to 63 via the ethtool utility, exceeding the actual number of online CPUs (num_online_cpus). The ixgbe driver maintains several queue counts: num_rx_queues, num_tx_queues, and num_xdp_queues. Due to a logic flaw, num_rx_queues can be set higher than num_xdp_queues, leading to a NULL pointer dereference during the execution of the ixgbe_xdp_setup function. This dereference occurs when the driver attempts to access xdp_ring elements beyond the allocated range, resulting in a kernel panic and system crash. The vulnerability is rooted in the incorrect calculation and validation of queue limits, specifically in the functions ixgbe_set_channels and ixgbe_set_rss_queues, where the ring_feature limit is set to 63 without proper bounds checking against the number of online CPUs. The fix involves adjusting ixgbe_max_channels to ensure the number of queues cannot exceed num_online_cpus and modifying ixgbe_xdp_setup to use the smaller value between num_rx_queues and num_xdp_queues, preventing out-of-bounds access. This vulnerability does not require user interaction beyond setting queue parameters via ethtool and can be triggered locally by users with sufficient privileges to configure network interfaces. No known exploits are currently reported in the wild, and the vulnerability affects Linux kernel versions containing the ixgbe driver prior to the patch date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and network infrastructure running Linux with Intel 10 Gigabit Ethernet adapters using the ixgbe driver. The impact includes potential denial of service (DoS) due to kernel panics, leading to system crashes and network outages. This can disrupt critical services, especially in data centers, cloud providers, telecommunications, and enterprises relying on high-performance networking. Confidentiality and integrity are less directly impacted since the flaw causes crashes rather than unauthorized data access or modification. However, availability degradation can have cascading effects on business operations, service level agreements, and regulatory compliance, particularly in sectors like finance, healthcare, and public administration. The vulnerability requires local administrative privileges to exploit, limiting remote attack vectors but increasing risk from insider threats or compromised accounts. Given the widespread use of Linux in European IT infrastructure and the prevalence of Intel network hardware, the vulnerability could affect a broad range of organizations if unpatched. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is publicly disclosed.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2021-47399. Specifically, update the kernel to versions where ixgbe_max_channels is corrected to limit queue settings to the number of online CPUs and ixgbe_xdp_setup properly bounds queue usage. Network administrators should audit and restrict the use of ethtool commands that modify queue parameters, limiting such operations to trusted administrators only. Implement monitoring for kernel panics and unusual network interface configurations to detect potential exploitation attempts. For environments where immediate patching is not feasible, consider disabling XDP features on affected interfaces as a temporary workaround to prevent triggering the vulnerability. Additionally, review and enforce strict access controls on systems with Intel 10GbE adapters to prevent unauthorized local configuration changes. Regularly update and test incident response plans to handle potential DoS events caused by this or similar vulnerabilities. Finally, maintain awareness of vendor advisories and Linux kernel updates to ensure timely application of security fixes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-21T14:58:30.816Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8fff
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 12:26:11 PM
Last updated: 8/10/2025, 9:26:19 PM
Views: 11
Related Threats
CVE-2025-8834: Cross Site Scripting in JCG Link-net LW-N915R
MediumCVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.