CVE-2026-23054
Description
In the Linux kernel, the following vulnerability has been resolved:
net: hv_netvsc: reject RSS hash key programming without RX indirection table
RSS configuration requires a valid RX indirection table. When the device reports a single receive queue, rndis_filter_device_add() does not allocate an indirection table, accepting RSS hash key updates in this state leads to a hang.
Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return -EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device capabilities and prevents incorrect behavior.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A vulnerability in the Linux kernel's hv_netvsc driver allows unprivileged users to trigger a hang by setting an RSS hash key on a device without an RX indirection table.
Root
Cause
The vulnerability resides in the hv_netvsc driver within the Linux kernel. When the underlying Hyper-V network device reports only a single receive queue, the driver's initialization function rndis_filter_device_add() skips allocating a receive (RX) indirection table. However, the netvsc_set_rxfh() function, responsible for programming the RSS hash key, did not check for the presence of this table before accepting a new key. This led to an invalid state, causing a kernel hang.
Exploitation
An attacker with the ability to set RSS hash keys on a affected virtual NIC can trigger this vulnerability. The exploit requires local access sufficient to invoke the ETHTOOL_SRSSH command on the network device. The attack does not require more than basic user privileges, as the hang occurs at the kernel level. The prerequisite is a device that reports a single receive queue, which is a common configuration.
Impact
Successful exploitation results in a system hang or denial of service (DoS). The kernel becomes unresponsive, affecting all processes and services on the host. This vulnerability can be used by a malicious user to disrupt operations on a multi-tenant Hyper-V host or a guest virtual machine.
Mitigation
The fix is implemented in Linux kernel commits [1] and [2], which add a check for ndc->rx_table_sz in netvsc_set_rxfh(). If the indirection table is absent, the function returns -EOPNOTSUPP, preventing the hang. Administrators should apply the latest stable kernel updates containing these commits. No workaround other than patching is known.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/11dd9a9ef4dc4507a15a69b8511a0013c6c28fa3nvd
- git.kernel.org/stable/c/4cd55c609e85ae2313248ef1a33619a3eef44a16nvd
- git.kernel.org/stable/c/8288136f508e78eb3563e7073975999cf225a2f9nvd
- git.kernel.org/stable/c/82c9039c8ebb715753a40434df714f865a3aec9cnvd
- git.kernel.org/stable/c/d23564955811da493f34412d7de60fa268c8cb50nvd
News mentions
0No linked articles in our index yet.