CVE-2021-47647 – This CVE describes a NULL pointer dereference v... (How to Fix)

Q: What is the severity of CVE-2021-47647?

CVE-2021-47647 has a CVSS score of 5.5 (MEDIUM). This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's Qualcomm IPQ8074 PCI-E clock driver. When the kernel attempts to access a missing clock parent during initialization, it causes a kernel panic and system crash. This affects Linux systems using Qualcomm IPQ8074-based hardware with vulnerable kernel versions.

📋 TL;DR

This CVE describes a NULL pointer dereference vulnerability in the Linux kernel's Qualcomm IPQ8074 PCI-E clock driver. When the kernel attempts to access a missing clock parent during initialization, it causes a kernel panic and system crash. This affects Linux systems using Qualcomm IPQ8074-based hardware with vulnerable kernel versions.

💻 Affected Systems

Products:

Linux kernel with Qualcomm IPQ8074 clock driver

Versions: Linux kernel versions containing the vulnerable code (specific versions not specified in CVE, but appears to be around 5.15.x based on stack trace)

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects systems with Qualcomm IPQ8074 SoC hardware (like Xiaomi AX3600 router shown in stack trace). Requires the specific clock configuration that triggers the missing parent condition.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash and denial of service during boot, requiring physical intervention to restart the device.

🟠

Likely Case

System fails to boot properly, resulting in denial of service and potential data loss if the system crashes during operation.

🟢

If Mitigated

System operates normally with patched kernel or unaffected hardware.

🌐 Internet-Facing: LOW - This is a local kernel panic issue, not remotely exploitable for code execution.

🏢 Internal Only: MEDIUM - Affects system stability and availability, but requires local hardware/device access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH - Requires specific hardware and timing conditions to trigger the panic.

This appears to be a reliability/availability issue rather than a security exploit. The vulnerability causes a crash during system initialization, making it difficult to weaponize for traditional attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in kernel commits referenced in the CVE (e.g., 41e360fa73a4c2f5b78f5ded78a5375b08c206a5)

Vendor Advisory: https://git.kernel.org/stable/c/41e360fa73a4c2f5b78f5ded78a5375b08c206a5

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix. 2. For embedded devices, update firmware from vendor. 3. Reboot system to load patched kernel.

🔧 Temporary Workarounds

Disable PCI-E interface

linux

If PCI-E functionality is not required, disable it in kernel configuration or device tree.

echo 'blacklist pcie_qcom' >> /etc/modprobe.d/blacklist.conf
update-initramfs -u

🧯 If You Can't Patch

Use earlycon boot parameter to capture crash logs for debugging
Ensure proper hardware configuration matches kernel expectations

🔍 How to Verify

Check if Vulnerable:

Check if system uses Qualcomm IPQ8074 hardware and vulnerable kernel version. Look for crash logs matching the stack trace.

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes the fix commit: 'git log --oneline | grep -i "41e360fa73a4c2f5b78f5ded78a5375b08c206a5"' or verify system boots without PCI-E related panics.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages referencing clk_core_get_parent_by_index
PCI-E initialization failures
Data abort errors at address 0000a00000000000

Network Indicators:

Device becoming unresponsive during boot

SIEM Query:

source="kernel" AND ("clk_core_get_parent_by_index" OR "0000a00000000000" OR "PCI-E clock oops")

📊 Metadata

CVE ID: CVE-2021-47647

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.04% exploit probability (10th percentile)

Published: February 26, 2025

Last Updated: September 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47647, you might also want to check these: