LiveActive security incident?Get immediate response
CVE Record

CVE-2021-47619: i40e: Fix queues reservation for XDP

In the Linux kernel, the following vulnerability has been resolved: i40e: Fix queues reservation for XDP When XDP was configured on a system with large number of CPUs and X722 NIC there was a call trace with NULL pointer dereference. i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12 i40e 0000:87:00.0: setup of MAIN VSI failed BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e] Call Trace: ? i40e_reconfig_rss_queues+0x130/0x130 [i40e] dev_xdp_install+0x61/0xe0 dev_xdp_attach+0x18a/0x4c0 dev_change_xdp_fd+0x1e6/0x220 do_setlink+0x616/0x1030 ? ahci_port_stop+0x80/0x80 ? ata_qc_issue+0x107/0x1e0 ? lock_timer_base+0x61/0x80 ? __mod_timer+0x202/0x380 rtnl_setlink+0xe5/0x170 ? bpf_lsm_binder_transaction+0x10/0x10 ? security_capable+0x36/0x50 rtnetlink_rcv_msg+0x121/0x350 ? rtnl_calcit.isra.0+0x100/0x100 netlink_rcv_skb+0x50/0xf0 netlink_unicast+0x1d3/0x2a0 netlink_sendmsg+0x22a/0x440 sock_sendmsg+0x5e/0x60 __sys_sendto+0xf0/0x160 ? __sys_getsockname+0x7e/0xc0 ? _copy_from_user+0x3c/0x80 ? __sys_setsockopt+0xc8/0x1a0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f83fa7a39e0 This was caused by PF queue pile fragmentation due to flow director VSI queue being placed right after main VSI. Because of this main VSI was not able to resize its queue allocation for XDP resulting in no queues allocated for main VSI when XDP was turned on. Fix this by always allocating last queue in PF queue pile for a flow director VSI.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2021-47619 is a Linux kernel i40e network driver flaw. On systems with Intel X722 NICs, many CPUs, and XDP enabled, queue allocation could fail and trigger a NULL pointer dereference, potentially crashing affected networking or the kernel path.

Executive priority

Patch during the next suitable maintenance window for affected Linux network hosts. Escalate sooner for production systems using XDP on X722 NICs, because the observed failure mode can disrupt network services or crash kernel execution paths.

Technical view

The i40e driver could fragment PF queue reservations because the flow director VSI was placed after the main VSI. When XDP resized queues, the main VSI could receive no queues, causing a NULL pointer dereference in i40e_xdp. The kernel fix reserves the last PF queue for flow director VSI.

Likely exposure

Exposure appears limited to Linux systems using the i40e driver with X722 NICs where XDP is configured, especially high-CPU-count systems. The source does not identify remote reachability, default exposure, or broad product impact beyond Linux kernel versions and stable fixes.

Exploitation context

The source describes a crash during XDP configuration and marks KEV as false. No cited source reports active exploitation, public exploit use, or weaponized attack paths. Treat this mainly as an availability and operational stability risk unless vendor guidance says otherwise.

Researcher notes

Evidence is strongest for a driver bug and stable kernel fix. The bundle does not provide CVSS, CWE, attacker prerequisites, or exploitability analysis. Validate exposure through hardware, driver, kernel build, and XDP configuration rather than assuming all Linux deployments are affected.

Mitigation direction

  • Update to a kernel containing the referenced stable i40e fixes.
  • Check your Linux vendor advisory for backported fixes in packaged kernels.
  • Avoid enabling XDP on affected i40e/X722 systems until patched, if operationally feasible.
  • Prioritize hosts where network stability is business critical.

Validation and detection

  • Inventory hosts using the i40e driver and Intel X722 NICs.
  • Identify kernels matching the CVE record’s affected Linux versions or missing stable fixes.
  • Check whether XDP is configured on those interfaces.
  • Review kernel logs for i40e queue allocation failures or NULL pointer traces.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-47619 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux41c445ff0f482bb6e6b72dcee9e598e20575f743, 41c445ff0f482bb6e6b72dcee9e598e20575f743, 41c445ff0f482bb6e6b72dcee9e598e20575f743, 41c445ff0f482bb6e6b72dcee9e598e20575f743, 41c445ff0f482bb6e6b72dcee9e598e20575f743, 41c445ff0f482bb6e6b72dcee9e598e20575f743unaffected
LinuxLinux3.12, 0, 4.19.228, 5.4.176, 5.10.96, 5.15.19, 5.16.5, 5.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.