Description
In the Linux kernel, the following vulnerability has been resolved:

ixgbevf: add missing negotiate_features op to Hyper-V ops table

Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by
negotiating supported features") added the .negotiate_features callback
to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot
to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL
on Hyper-V VMs.

During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),
which unconditionally dereferences hw->mac.ops.negotiate_features().
On Hyper-V this results in a NULL pointer dereference:

BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...]
Workqueue: events work_for_cpu_fn
RIP: 0010:0x0
[...]
Call Trace:
ixgbevf_negotiate_api+0x66/0x160 [ixgbevf]
ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf]
ixgbevf_probe+0x20f/0x4a0 [ixgbevf]
local_pci_probe+0x50/0xa0
work_for_cpu_fn+0x1a/0x30
[...]

Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and
wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP
gracefully.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ixgbevf driver for virtual network interfaces contains a missing .negotiate_features callback for Hyper‑V operation. When the driver is probed on a Hyper‑V virtual machine, the function pointer is NULL and the probe routine dereferences it, triggering a kernel BUG and a system crash. The vulnerability does not allow direct code execution or privilege escalation; the primary impact is a denial of service that can affect the entire host. The likely attack vector is local or during system boot: any process that causes the ixgbevf driver to load on a Hyper‑V VM, such as device enumeration or a malicious driver loading, would trigger the crash. This inference comes from the fact that the bug is uncovered during the probe stage. The crash occurs because the driver calls ixgbevf_set_features() unconditionally, expecting a valid .negotiate_features function. Without the function, the kernel dereferences a NULL pointer. The vulnerability is a classic NULL pointer dereference (CWE‑476).

Affected Systems

Any Linux kernel running the ixgbevf driver on a Hyper‑V virtual machine before the commit a7075f501bd3 was applied is affected. The vulnerability is present in all kernel releases that lacked this patch; the fix is included in more recent kernels that incorporate the commit. Affected vendors: Linux (generic), typical Hyper‑V hosted virtual machines using the ixgbevf driver. Exact version ranges are not listed, but any kernel prior to the inclusion of the fix is vulnerable.

Risk and Exploitability

The CVSS score is not provided and the EPSS score is unavailable, but the presence of a NULL pointer dereference that leads to a kernel panic suggests high severity if the driver can be loaded. Since the exploit requires the driver to be probed on a Hyper‑V VM, it generally needs local or privileged process access to the virtual machine. The vulnerability is not listed in the CISA KEV catalog, so there is no evidence of active exploitation, but the potential for denial of service remains significant.

Generated by OpenCVE AI on May 6, 2026 at 11:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit a7075f501bd3, which wires the negotiate_features callback into ixgbevf_hv_mac_ops.
  • Reboot the system to load the patched kernel and ensure the ixgbevf driver initializes correctly.
  • If the kernel cannot be updated immediately, disable the ixgbevf driver for Hyper‑V network interfaces or remove the driver module to avoid the crash as a temporary workaround.

Generated by OpenCVE AI on May 6, 2026 at 11:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ixgbevf: add missing negotiate_features op to Hyper-V ops table Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") added the .negotiate_features callback to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL on Hyper-V VMs. During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features(). On Hyper-V this results in a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 [...] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 [...] Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP gracefully.
Title ixgbevf: add missing negotiate_features op to Hyper-V ops table
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T07:40:25.930Z

Reserved: 2026-05-01T14:12:55.984Z

Link: CVE-2026-43094

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:22.790

Modified: 2026-05-06T10:16:22.790

Link: CVE-2026-43094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T12:00:03Z

Weaknesses