CVE-2026-43094
Description
In the Linux kernel, the following vulnerability has been resolved:
ixgbevf: add missing negotiate_features op to Hyper-V ops table
Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") added the .negotiate_features callback to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL on Hyper-V VMs.
During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features(). On Hyper-V this results in a NULL pointer dereference:
BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 [...] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 [...]
Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP gracefully.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing negotiate_features callback in the ixgbevf driver for Hyper-V VMs causes a NULL pointer dereference, leading to a kernel crash.
Vulnerability
Overview
In the Linux kernel's ixgbevf driver, a commit that added the .negotiate_features callback to support mailbox API compatibility (commit a7075f501bd3) failed to include this callback in the Hyper-V-specific operations table ixgbevf_hv_mac_ops [1]. As a result, the function pointer is left as NULL when the driver is used on a Hyper-V virtual machine.
Exploitation
Conditions
During driver probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features() [2]. On a Hyper-V VM, this dereferences a NULL pointer, triggering a kernel crash (BUG: kernel NULL pointer dereference). The crash was observed with the following call trace: ixgbevf_negotiate_api, ixgbevf_sw_init, ixgbevf_probe, local_pci_probe, work_for_cpu_fn [3]. An attacker with local access or the ability to trigger a driver probe on a Hyper-V VM could cause a denial of service by crashing the system.
Impact
The vulnerability results in a denial of service (DoS) via a kernel panic (NULL pointer dereference). The CVSS v3 score is 5.5 (Medium), reflecting the requirement for local access to trigger the issue. No privilege escalation or data corruption has been reported.
Mitigation
The fix adds a new function ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wires it into ixgbevf_hv_mac_ops [4]. The caller already handles -EOPNOTSUPP gracefully, preventing the crash. The patch has been applied to the stable kernel branches. Users should update to the latest kernel or apply the relevant commits.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/1455ff8809843e6e83f1f5b5c0bcc2224c99a3cbnvdPatch
- git.kernel.org/stable/c/2270ebab53128fb73c4a70a292be09094074737fnvdPatch
- git.kernel.org/stable/c/4821d563cd7f251ae728be1a6d04af82a294a5b9nvdPatch
- git.kernel.org/stable/c/4db7b61ec1d1b2b67c0881b62fc4f9583bc21484nvdPatch
- git.kernel.org/stable/c/d8a747057a17ffc79e31df1abb11d05e1669d8e5nvdPatch
News mentions
0No linked articles in our index yet.