CVE-2021-47015: bnxt_en: Fix RX consumer index logic in the error path.
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix RX consumer index logic in the error path.
In bnxt_rx_pkt(), the RX buffers are expected to complete in order.
If the RX consumer index indicates an out of order buffer completion,
it means we are hitting a hardware bug and the driver will abort all
remaining RX packets and reset the RX ring. The RX consumer index
that we pass to bnxt_discard_rx() is not correct. We should be
passing the current index (tmp_raw_cons) instead of the old index
(raw_cons). This bug can cause us to be at the wrong index when
trying to abort the next RX packet. It can crash like this:
#0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007
#1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232
#2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e
#3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978
#4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0
#5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e
#6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24
#7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e
#8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12
#9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5
[exception RIP: bnxt_rx_pkt+237]
RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213
RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000
RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000
RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d
R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0
R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
Security readout for executives and security teams
Plain-English summary
CVE-2021-47015 is a Linux kernel bug in the bnxt_en network receive path. When receive buffers complete out of order, the driver can discard from the wrong index and crash the kernel. The main business risk is availability loss on affected Linux systems using this driver path.
Executive priority
Medium priority. Patch during the next controlled kernel maintenance window, faster for internet-facing or high-availability systems that use this driver. There is no source-backed evidence of active exploitation, but a kernel crash can still cause service interruption.
Technical view
In bnxt_rx_pkt(), the RX error path passed raw_cons to bnxt_discard_rx() instead of tmp_raw_cons. During out-of-order RX buffer completion, described as a hardware bug condition, the driver may abort the wrong RX packet and hit a page fault in bnxt_rx_pkt().
Likely exposure
Exposure appears limited to affected Linux kernel versions where the bnxt_en driver is present and handling network RX traffic. The bundle lists Linux 5.1 through 5.13-era affected ranges and multiple stable fix commits, but no distribution-specific package mapping.
Exploitation context
The sources do not show KEV listing, public exploitation, or attacker-controlled exploitation. The provided description ties the crash to out-of-order RX buffer completion and a driver error-path bug. Treat it as an availability issue unless vendor advisories provide stronger evidence.
Researcher notes
Evidence is narrow but coherent: the bug is a wrong consumer index in the bnxt_en RX error path, with a sample crash trace at bnxt_rx_pkt+237. The bundle lacks CVSS, CWE, distro advisories, and exploitability analysis, so exposure validation depends on local kernel and driver inventory.
Mitigation direction
Apply a vendor kernel update containing the referenced stable fixes.
Prioritize critical Linux hosts using the bnxt_en driver.
Check distribution advisories for exact fixed package versions.
Plan reboot or live-patch steps according to vendor guidance.
Monitor affected systems for kernel panics until remediated.
Validation and detection
Inventory Linux kernel versions against the affected ranges in the CVE record.
Confirm whether the bnxt_en driver is loaded or built into deployed kernels.
Verify vendor kernels include one of the referenced stable commits or backports.
Review kernel logs for bnxt_rx_pkt faults, RX ring resets, or related panics.
Regression test network receive traffic after patching.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47015 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.