Security readout for executives and security teams
Plain-English summary
CVE-2021-47563 is a Linux kernel bug in the ice network driver that can crash a system when XDP program references are mishandled during interface rebuilds. It is an availability issue, not a documented data theft or privilege escalation issue, and sources do not show active exploitation.
Executive priority
Treat this as a moderate-priority availability fix for Linux network infrastructure. It can crash affected systems but requires local access and specific driver conditions. Patch during the next controlled maintenance window, sooner for critical hosts using the ice driver.
Technical view
The ice driver shares XDP resources between ndo_bpf handling and VSI rebuild flow. During rebuild, the same bpf_prog pointer can be treated as both new and old, causing bpf_prog_put to underflow the reference count and leaving the kernel dereferencing freed state, resulting in a page fault or crash.
Likely exposure
Exposure is likely limited to Linux systems using the ice driver with affected kernel versions or affected downstream backports. The source lists Linux 5.5, 5.10.83, 5.15.6, 5.16, and commit efc2214b6047 as affected indicators; confirm exact distro package status with vendor advisories.
Exploitation context
The CVSS vector is local, low complexity, low privileges, no user interaction, with high availability impact. The CVE is not in KEV in the provided bundle, and no cited source states active exploitation. The described failure occurs around XDP and VSI rebuild behavior in the ice driver.
Researcher notes
Evidence supports a refcounting flaw in ice XDP resource handling during VSI rebuilds. Public sources provide root-cause detail and stable commit references, but do not provide KEV listing, active exploitation evidence, or downstream vendor package mappings in this bundle.
Mitigation direction
Apply a kernel update containing the referenced stable fixes or your distribution vendor's backport.
Prioritize hosts that load the ice driver and run affected kernel builds.
Check vendor guidance if no patched kernel is immediately available.
Limit low-privilege local access on affected network hosts until patched.
Plan required maintenance reboot after kernel update.
Validation and detection
Inventory hosts running Linux kernels listed as affected in the source bundle.
Identify systems where the ice kernel module is loaded.
Confirm whether the installed kernel contains one of the referenced stable commits or vendor backport.
Review logs for kernel oops or page fault traces involving ice, XDP, or dev_xdp_prog_id.
Confirm patch status through the distribution's kernel changelog or advisory.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47563 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.