CVE-2021-47619: i40e: Fix queues reservation for XDP
In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix queues reservation for XDP
When XDP was configured on a system with large number of CPUs
and X722 NIC there was a call trace with NULL pointer dereference.
i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12
i40e 0000:87:00.0: setup of MAIN VSI failed
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e]
Call Trace:
? i40e_reconfig_rss_queues+0x130/0x130 [i40e]
dev_xdp_install+0x61/0xe0
dev_xdp_attach+0x18a/0x4c0
dev_change_xdp_fd+0x1e6/0x220
do_setlink+0x616/0x1030
? ahci_port_stop+0x80/0x80
? ata_qc_issue+0x107/0x1e0
? lock_timer_base+0x61/0x80
? __mod_timer+0x202/0x380
rtnl_setlink+0xe5/0x170
? bpf_lsm_binder_transaction+0x10/0x10
? security_capable+0x36/0x50
rtnetlink_rcv_msg+0x121/0x350
? rtnl_calcit.isra.0+0x100/0x100
netlink_rcv_skb+0x50/0xf0
netlink_unicast+0x1d3/0x2a0
netlink_sendmsg+0x22a/0x440
sock_sendmsg+0x5e/0x60
__sys_sendto+0xf0/0x160
? __sys_getsockname+0x7e/0xc0
? _copy_from_user+0x3c/0x80
? __sys_setsockopt+0xc8/0x1a0
__x64_sys_sendto+0x20/0x30
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f83fa7a39e0
This was caused by PF queue pile fragmentation due to
flow director VSI queue being placed right after main VSI.
Because of this main VSI was not able to resize its
queue allocation for XDP resulting in no queues allocated
for main VSI when XDP was turned on.
Fix this by always allocating last queue in PF queue pile
for a flow director VSI.
Security readout for executives and security teams
Plain-English summary
CVE-2021-47619 is a Linux kernel i40e network driver flaw. On systems with Intel X722 NICs, many CPUs, and XDP enabled, queue allocation could fail and trigger a NULL pointer dereference, potentially crashing affected networking or the kernel path.
Executive priority
Patch during the next suitable maintenance window for affected Linux network hosts. Escalate sooner for production systems using XDP on X722 NICs, because the observed failure mode can disrupt network services or crash kernel execution paths.
Technical view
The i40e driver could fragment PF queue reservations because the flow director VSI was placed after the main VSI. When XDP resized queues, the main VSI could receive no queues, causing a NULL pointer dereference in i40e_xdp. The kernel fix reserves the last PF queue for flow director VSI.
Likely exposure
Exposure appears limited to Linux systems using the i40e driver with X722 NICs where XDP is configured, especially high-CPU-count systems. The source does not identify remote reachability, default exposure, or broad product impact beyond Linux kernel versions and stable fixes.
Exploitation context
The source describes a crash during XDP configuration and marks KEV as false. No cited source reports active exploitation, public exploit use, or weaponized attack paths. Treat this mainly as an availability and operational stability risk unless vendor guidance says otherwise.
Researcher notes
Evidence is strongest for a driver bug and stable kernel fix. The bundle does not provide CVSS, CWE, attacker prerequisites, or exploitability analysis. Validate exposure through hardware, driver, kernel build, and XDP configuration rather than assuming all Linux deployments are affected.
Mitigation direction
Update to a kernel containing the referenced stable i40e fixes.
Check your Linux vendor advisory for backported fixes in packaged kernels.
Avoid enabling XDP on affected i40e/X722 systems until patched, if operationally feasible.
Prioritize hosts where network stability is business critical.
Validation and detection
Inventory hosts using the i40e driver and Intel X722 NICs.
Identify kernels matching the CVE record’s affected Linux versions or missing stable fixes.
Check whether XDP is configured on those interfaces.
Review kernel logs for i40e queue allocation failures or NULL pointer traces.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47619 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.