CVE-2026-43094
Awaiting Analysis Awaiting Analysis - Queue
NULL Pointer Dereference in ixgbevf Hyper-V Driver

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ixgbevf: add missing negotiate_features op to Hyper-V ops table Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") added the .negotiate_features callback to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL on Hyper-V VMs. During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features(). On Hyper-V this results in a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 [...] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 [...] Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP gracefully.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43094
EUVD
EUVD-2026-27598
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
intel ixgbevf *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ixgbevf driver, specifically in its handling of Hyper-V virtual machines. The issue is that a function pointer called negotiate_features was added to some operation tables but was mistakenly left NULL in the Hyper-V operations table (ixgbevf_hv_mac_ops).

When the driver probes the hardware, it calls a function that unconditionally dereferences this NULL pointer on Hyper-V VMs, causing a kernel NULL pointer dereference (a crash).

The fix involved adding a proper negotiate_features callback for Hyper-V that returns an error code handled gracefully by the caller, preventing the NULL pointer dereference.


How can this vulnerability impact me? :

This vulnerability can cause a kernel NULL pointer dereference on Linux systems running the ixgbevf driver in Hyper-V virtual machines. This results in a kernel crash (BUG), which can lead to system instability or downtime.

Such crashes can disrupt services running on affected virtual machines, potentially causing data loss or interruption of critical operations.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a NULL pointer dereference in the ixgbevf driver on Hyper-V virtual machines, causing kernel crashes during device probe.

To detect this issue on your system, you can check your kernel logs for BUG messages related to ixgbevf and NULL pointer dereferences, especially on Hyper-V VMs.

  • Use the command: dmesg | grep -i 'ixgbevf' | grep -i 'NULL pointer dereference'
  • Check system logs for kernel BUG messages: journalctl -k | grep -i 'ixgbevf' | grep -i 'BUG'
  • Verify if the system is running on a Hyper-V virtual machine by checking: systemd-detect-virt or dmidecode | grep -i 'Hyper-V'

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by a missing function pointer in the ixgbevf driver on Hyper-V VMs, leading to kernel crashes.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix which adds the missing negotiate_features callback to ixgbevf_hv_mac_ops.
  • If updating the kernel is not immediately possible, consider disabling the ixgbevf driver on Hyper-V VMs to prevent the NULL pointer dereference.
  • Monitor system stability and avoid using affected network interfaces until the fix is applied.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart