CVE-2026-43094
Analyzed Analyzed - Analysis Complete
NULL Pointer Dereference in ixgbevf Hyper-V Driver

Publication date: 2026-05-06

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ixgbevf: add missing negotiate_features op to Hyper-V ops table Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") added the .negotiate_features callback to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL on Hyper-V VMs. During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features(). On Hyper-V this results in a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 [...] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 [...] Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP gracefully.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43094
EUVD
EUVD-2026-27598
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.17.5 (inc) to 6.18 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 6.1.158 (inc) to 6.2 (exc)
linux linux_kernel From 6.12.55 (inc) to 6.12.83 (exc)
linux linux_kernel From 6.18.1 (inc) to 6.18.24 (exc)
linux linux_kernel From 6.6.114 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ixgbevf driver, specifically in its handling of Hyper-V virtual machines. The issue is that a function pointer called negotiate_features was added to some operation tables but was mistakenly left NULL in the Hyper-V operations table (ixgbevf_hv_mac_ops).

When the driver probes the hardware, it calls a function that unconditionally dereferences this NULL pointer on Hyper-V VMs, causing a kernel NULL pointer dereference (a crash).

The fix involved adding a proper negotiate_features callback for Hyper-V that returns an error code handled gracefully by the caller, preventing the NULL pointer dereference.

Impact Analysis

This vulnerability can cause a kernel NULL pointer dereference on Linux systems running the ixgbevf driver in Hyper-V virtual machines. This results in a kernel crash (BUG), which can lead to system instability or downtime.

Such crashes can disrupt services running on affected virtual machines, potentially causing data loss or interruption of critical operations.

Detection Guidance

This vulnerability manifests as a NULL pointer dereference in the ixgbevf driver on Hyper-V virtual machines, causing kernel crashes during device probe.

To detect this issue on your system, you can check your kernel logs for BUG messages related to ixgbevf and NULL pointer dereferences, especially on Hyper-V VMs.

  • Use the command: dmesg | grep -i 'ixgbevf' | grep -i 'NULL pointer dereference'
  • Check system logs for kernel BUG messages: journalctl -k | grep -i 'ixgbevf' | grep -i 'BUG'
  • Verify if the system is running on a Hyper-V virtual machine by checking: systemd-detect-virt or dmidecode | grep -i 'Hyper-V'
Mitigation Strategies

The vulnerability is caused by a missing function pointer in the ixgbevf driver on Hyper-V VMs, leading to kernel crashes.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix which adds the missing negotiate_features callback to ixgbevf_hv_mac_ops.
  • If updating the kernel is not immediately possible, consider disabling the ixgbevf driver on Hyper-V VMs to prevent the NULL pointer dereference.
  • Monitor system stability and avoid using affected network interfaces until the fix is applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43094. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart