Description
In the Linux kernel, the following vulnerability has been resolved:

ixgbevf: add missing negotiate_features op to Hyper-V ops table

Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by
negotiating supported features") added the .negotiate_features callback
to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot
to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL
on Hyper-V VMs.

During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),
which unconditionally dereferences hw->mac.ops.negotiate_features().
On Hyper-V this results in a NULL pointer dereference:

BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...]
Workqueue: events work_for_cpu_fn
RIP: 0010:0x0
[...]
Call Trace:
ixgbevf_negotiate_api+0x66/0x160 [ixgbevf]
ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf]
ixgbevf_probe+0x20f/0x4a0 [ixgbevf]
local_pci_probe+0x50/0xa0
work_for_cpu_fn+0x1a/0x30
[...]

Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and
wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP
gracefully.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ixgbevf driver for virtual network interfaces contains a missing .negotiate_features callback for Hyper‑V operation. When the driver is probed on a Hyper‑V virtual machine, the function pointer is NULL and the probe routine dereferences it, triggering a kernel BUG and a system crash. The vulnerability does not allow direct code execution or privilege escalation; the primary impact is a denial of service that can affect the entire host. The likely attack vector is local or during system boot: any process that causes the ixgbevf driver to load on a Hyper‑V VM, such as device enumeration or a malicious driver loading, would trigger the crash. This inference comes from the fact that the bug is uncovered during the probe stage. The crash occurs because the driver calls ixgbevf_set_features() unconditionally, expecting a valid .negotiate_features function. Without the function, the kernel dereferences a NULL pointer. This vulnerability is a classic NULL pointer dereference and is also categorized under CWE‑476 and CWE‑824.

Affected Systems

Any Linux kernel running the ixgbevf driver on a Hyper‑V virtual machine before the commit a7075f501bd3 was applied is affected. The vulnerability is present in all kernel releases that lacked this patch; the fix is included in more recent kernels that incorporate the commit. Affected vendors: Linux (generic), typical Hyper‑V hosted virtual machines using the ixgbevf driver. Exact version ranges are not listed, but any kernel prior to the inclusion of the fix is vulnerable.

Risk and Exploitability

The CVSS score is 5.5 (moderate severity). The EPSS score is <1%, indicating a low exploitation probability. This indicates that while the bug can cause a denial of service via kernel crash, the likelihood of exploitation is currently low and it is not listed in the CISA KEV catalog. The attack requires the driver to be probed on a Hyper‑V VM, generally requiring local or privileged process access to the virtual machine.

Generated by OpenCVE AI on May 19, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit a7075f501bd3, which wires the negotiate_features callback into ixgbevf_hv_mac_ops.
  • Reboot the system to load the patched kernel and ensure the ixgbevf driver initializes correctly.
  • If the kernel cannot be updated immediately, disable the ixgbevf driver for Hyper‑V network interfaces or remove the driver module to avoid the crash as a temporary workaround.

Generated by OpenCVE AI on May 19, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.18:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.18:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.18:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.18:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.18:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.18:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Thu, 07 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ixgbevf: add missing negotiate_features op to Hyper-V ops table Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") added the .negotiate_features callback to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL on Hyper-V VMs. During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features(). On Hyper-V this results in a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 [...] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 [...] Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP gracefully.
Title ixgbevf: add missing negotiate_features op to Hyper-V ops table
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:06:16.271Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43094

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:22.790

Modified: 2026-05-19T20:38:59.263

Link: CVE-2026-43094

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43094 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T21:30:14Z

Weaknesses