CVE-2021-47562: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ice: fix vsi->txq_map sizing The approach of having XDP queue per CPU regardless of user's setting exposed a hidden bug that could occur in case when Rx queue count differ from Tx queue count. Currently vsi->txq_map's size is equal to the doubled vsi->alloc_txq, which is not correct due to the fact that XDP rings were previously based on the Rx queue count. Below splat can be seen when ethtool -L is used and XDP rings are configured: [ 682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f [ 682.883403] #PF: supervisor read access in kernel mode [ 682.889345] #PF: error_code(0x0000) - not-present page [ 682.895289] PGD 0 P4D 0 [ 682.898218] Oops: 0000 [#1] PREEMPT SMP PTI [ 682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1 [ 682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016 [ 682.923380] RIP: 0010:devres_remove+0x44/0x130 [ 682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f <4c> 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8 [ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002 [ 682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370 [ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000 [ 682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000 [ 682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60 [ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c [ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000 [ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0 [ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 683.038336] Call Trace: [ 683.041167] devm_kfree+0x33/0x50 [ 683.045004] ice_vsi_free_arrays+0x5e/0xc0 [ice] [ 683.050380] ice_vsi_rebuild+0x4c8/0x750 [ice] [ 683.055543] ice_vsi_recfg_qs+0x9a/0x110 [ice] [ 683.060697] ice_set_channels+0x14f/0x290 [ice] [ 683.065962] ethnl_set_channels+0x333/0x3f0 [ 683.070807] genl_family_rcv_msg_doit+0xea/0x150 [ 683.076152] genl_rcv_msg+0xde/0x1d0 [ 683.080289] ? channels_prepare_data+0x60/0x60 [ 683.085432] ? genl_get_cmd+0xd0/0xd0 [ 683.089667] netlink_rcv_skb+0x50/0xf0 [ 683.094006] genl_rcv+0x24/0x40 [ 683.097638] netlink_unicast+0x239/0x340 [ 683.102177] netlink_sendmsg+0x22e/0x470 [ 683.106717] sock_sendmsg+0x5e/0x60 [ 683.110756] __sys_sendto+0xee/0x150 [ 683.114894] ? handle_mm_fault+0xd0/0x2a0 [ 683.119535] ? do_user_addr_fault+0x1f3/0x690 [ 683.134173] __x64_sys_sendto+0x25/0x30 [ 683.148231] do_syscall_64+0x3b/0xc0 [ 683.161992] entry_SYSCALL_64_after_hwframe+0x44/0xae Fix this by taking into account the value that num_possible_cpus() yields in addition to vsi->alloc_txq instead of doubling the latter.
AI Analysis
Technical Summary
CVE-2021-47562 is a vulnerability identified in the Linux kernel related to the handling of transmit queue mapping (txq_map) sizing in the ice network driver, which supports Intel Ethernet devices. The root cause stems from a mismatch in assumptions about the number of transmit (Tx) and receive (Rx) queues when using eXpress Data Path (XDP) rings configured per CPU. Specifically, the vulnerability arises because the vsi->txq_map array size was incorrectly set to twice the vsi->alloc_txq value, without accounting for the actual number of possible CPUs (num_possible_cpus()). This discrepancy leads to out-of-bounds access and a NULL pointer dereference in kernel space when the Rx queue count differs from the Tx queue count, causing a kernel crash (kernel oops). The vulnerability manifests during operations such as changing ethtool channel settings or configuring XDP rings, as evidenced by kernel logs showing a NULL pointer dereference and stack trace involving ice_vsi_rebuild and related functions. The fix involves adjusting the sizing logic to consider both the number of allocated Tx queues and the number of possible CPUs, preventing the out-of-bounds access. This vulnerability is a logic error in the network driver that can be triggered by local users with privileges to reconfigure network interfaces, leading to denial of service (DoS) via kernel crash. There is no indication of remote exploitation or privilege escalation, and no known exploits in the wild have been reported as of the publication date. The vulnerability affects Linux kernel versions containing the affected ice driver code prior to the patch date, with the specific commit hashes referenced. The issue is technical and requires kernel-level patching to remediate.
Potential Impact
For European organizations, the primary impact of CVE-2021-47562 is the potential for local denial of service on Linux systems running affected Intel Ethernet hardware with the ice driver. This can disrupt network connectivity and availability of critical services, especially in data centers, cloud environments, and enterprise networks where Linux servers are prevalent. Organizations relying on high-performance networking with XDP or ethtool channel configurations may experience instability or crashes if the vulnerability is triggered. While the vulnerability does not directly lead to data breaches or privilege escalation, the resulting kernel crashes can cause service interruptions, impacting business continuity and operational efficiency. In sectors such as finance, telecommunications, healthcare, and government, where Linux servers are widely deployed, such disruptions could have significant operational and reputational consequences. Additionally, the need to apply kernel patches and reboot systems to remediate the issue may require planned maintenance windows, affecting service availability. Since the vulnerability requires local access and privileged operations to exploit, the risk is mitigated by strong access controls; however, insider threats or compromised accounts could leverage this flaw to cause denial of service.
Mitigation Recommendations
To mitigate CVE-2021-47562, European organizations should: 1) Identify Linux systems using Intel Ethernet devices supported by the ice driver, particularly those running kernel versions prior to the patch date. 2) Apply the official Linux kernel patches that fix the txq_map sizing logic as soon as they become available from trusted sources or Linux distribution vendors. 3) If immediate patching is not feasible, restrict access to privileged users who can modify network interface settings or use ethtool to prevent triggering the vulnerability. 4) Monitor system logs for kernel oops or crashes related to the ice driver and ethtool operations to detect potential exploitation attempts or instability. 5) Test kernel updates in staging environments to ensure compatibility with existing network configurations, especially those using XDP or advanced channel settings. 6) Maintain strict user privilege management and audit network configuration changes to reduce the risk of accidental or malicious triggering of the vulnerability. 7) Consider network segmentation and isolation of critical Linux servers to limit exposure to local attackers. These steps go beyond generic advice by focusing on hardware-specific driver patching, access control to network configuration tools, and proactive monitoring of kernel stability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-47562: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ice: fix vsi->txq_map sizing The approach of having XDP queue per CPU regardless of user's setting exposed a hidden bug that could occur in case when Rx queue count differ from Tx queue count. Currently vsi->txq_map's size is equal to the doubled vsi->alloc_txq, which is not correct due to the fact that XDP rings were previously based on the Rx queue count. Below splat can be seen when ethtool -L is used and XDP rings are configured: [ 682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f [ 682.883403] #PF: supervisor read access in kernel mode [ 682.889345] #PF: error_code(0x0000) - not-present page [ 682.895289] PGD 0 P4D 0 [ 682.898218] Oops: 0000 [#1] PREEMPT SMP PTI [ 682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1 [ 682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016 [ 682.923380] RIP: 0010:devres_remove+0x44/0x130 [ 682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f <4c> 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8 [ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002 [ 682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370 [ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000 [ 682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000 [ 682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60 [ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c [ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000 [ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0 [ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 683.038336] Call Trace: [ 683.041167] devm_kfree+0x33/0x50 [ 683.045004] ice_vsi_free_arrays+0x5e/0xc0 [ice] [ 683.050380] ice_vsi_rebuild+0x4c8/0x750 [ice] [ 683.055543] ice_vsi_recfg_qs+0x9a/0x110 [ice] [ 683.060697] ice_set_channels+0x14f/0x290 [ice] [ 683.065962] ethnl_set_channels+0x333/0x3f0 [ 683.070807] genl_family_rcv_msg_doit+0xea/0x150 [ 683.076152] genl_rcv_msg+0xde/0x1d0 [ 683.080289] ? channels_prepare_data+0x60/0x60 [ 683.085432] ? genl_get_cmd+0xd0/0xd0 [ 683.089667] netlink_rcv_skb+0x50/0xf0 [ 683.094006] genl_rcv+0x24/0x40 [ 683.097638] netlink_unicast+0x239/0x340 [ 683.102177] netlink_sendmsg+0x22e/0x470 [ 683.106717] sock_sendmsg+0x5e/0x60 [ 683.110756] __sys_sendto+0xee/0x150 [ 683.114894] ? handle_mm_fault+0xd0/0x2a0 [ 683.119535] ? do_user_addr_fault+0x1f3/0x690 [ 683.134173] __x64_sys_sendto+0x25/0x30 [ 683.148231] do_syscall_64+0x3b/0xc0 [ 683.161992] entry_SYSCALL_64_after_hwframe+0x44/0xae Fix this by taking into account the value that num_possible_cpus() yields in addition to vsi->alloc_txq instead of doubling the latter.
AI-Powered Analysis
Technical Analysis
CVE-2021-47562 is a vulnerability identified in the Linux kernel related to the handling of transmit queue mapping (txq_map) sizing in the ice network driver, which supports Intel Ethernet devices. The root cause stems from a mismatch in assumptions about the number of transmit (Tx) and receive (Rx) queues when using eXpress Data Path (XDP) rings configured per CPU. Specifically, the vulnerability arises because the vsi->txq_map array size was incorrectly set to twice the vsi->alloc_txq value, without accounting for the actual number of possible CPUs (num_possible_cpus()). This discrepancy leads to out-of-bounds access and a NULL pointer dereference in kernel space when the Rx queue count differs from the Tx queue count, causing a kernel crash (kernel oops). The vulnerability manifests during operations such as changing ethtool channel settings or configuring XDP rings, as evidenced by kernel logs showing a NULL pointer dereference and stack trace involving ice_vsi_rebuild and related functions. The fix involves adjusting the sizing logic to consider both the number of allocated Tx queues and the number of possible CPUs, preventing the out-of-bounds access. This vulnerability is a logic error in the network driver that can be triggered by local users with privileges to reconfigure network interfaces, leading to denial of service (DoS) via kernel crash. There is no indication of remote exploitation or privilege escalation, and no known exploits in the wild have been reported as of the publication date. The vulnerability affects Linux kernel versions containing the affected ice driver code prior to the patch date, with the specific commit hashes referenced. The issue is technical and requires kernel-level patching to remediate.
Potential Impact
For European organizations, the primary impact of CVE-2021-47562 is the potential for local denial of service on Linux systems running affected Intel Ethernet hardware with the ice driver. This can disrupt network connectivity and availability of critical services, especially in data centers, cloud environments, and enterprise networks where Linux servers are prevalent. Organizations relying on high-performance networking with XDP or ethtool channel configurations may experience instability or crashes if the vulnerability is triggered. While the vulnerability does not directly lead to data breaches or privilege escalation, the resulting kernel crashes can cause service interruptions, impacting business continuity and operational efficiency. In sectors such as finance, telecommunications, healthcare, and government, where Linux servers are widely deployed, such disruptions could have significant operational and reputational consequences. Additionally, the need to apply kernel patches and reboot systems to remediate the issue may require planned maintenance windows, affecting service availability. Since the vulnerability requires local access and privileged operations to exploit, the risk is mitigated by strong access controls; however, insider threats or compromised accounts could leverage this flaw to cause denial of service.
Mitigation Recommendations
To mitigate CVE-2021-47562, European organizations should: 1) Identify Linux systems using Intel Ethernet devices supported by the ice driver, particularly those running kernel versions prior to the patch date. 2) Apply the official Linux kernel patches that fix the txq_map sizing logic as soon as they become available from trusted sources or Linux distribution vendors. 3) If immediate patching is not feasible, restrict access to privileged users who can modify network interface settings or use ethtool to prevent triggering the vulnerability. 4) Monitor system logs for kernel oops or crashes related to the ice driver and ethtool operations to detect potential exploitation attempts or instability. 5) Test kernel updates in staging environments to ensure compatibility with existing network configurations, especially those using XDP or advanced channel settings. 6) Maintain strict user privilege management and audit network configuration changes to reduce the risk of accidental or malicious triggering of the vulnerability. 7) Consider network segmentation and isolation of critical Linux servers to limit exposure to local attackers. These steps go beyond generic advice by focusing on hardware-specific driver patching, access control to network configuration tools, and proactive monitoring of kernel stability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:11:00.728Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe9499
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 2:41:38 PM
Last updated: 7/30/2025, 7:16:26 AM
Views: 11
Related Threats
CVE-2025-9053: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumPlex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.