CVE-2026-43094

Summary

In the Linux kernel, the following vulnerability has been resolved:

ixgbevf: add missing negotiate_features op to Hyper-V ops table

Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") added the .negotiate_features callback to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL on Hyper-V VMs.

During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features(). On Hyper-V this results in a NULL pointer dereference:

BUG: kernel NULL pointer dereference, address: 0000000000000000 […] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine […] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 […] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 […]

Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP gracefully.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux871ac1cd4ce4804defcb428cbb003fd84c415ff4 < 376d74ea03589914fbe2dedcbebf418396c04fd0affected
LinuxLinux2e0aab9ddaf1428602c78f12064cd1e6ffcc4d18 < d8a747057a17ffc79e31df1abb11d05e1669d8e5affected
LinuxLinuxbf580112ed61736c2645a893413a04732505d4b1 < 2270ebab53128fb73c4a70a292be09094074737faffected
LinuxLinuxa7075f501bd33c93570af759b6f4302ef0175168 < 4db7b61ec1d1b2b67c0881b62fc4f9583bc21484affected
LinuxLinuxa7075f501bd33c93570af759b6f4302ef0175168 < 1455ff8809843e6e83f1f5b5c0bcc2224c99a3cbaffected
LinuxLinuxa7075f501bd33c93570af759b6f4302ef0175168 < 4821d563cd7f251ae728be1a6d04af82a294a5b9affected
LinuxLinuxa376e29b1b196dc90b50df7e5e3947e3026300c4affected
LinuxLinux6.1.158 < 6.1.175affected
LinuxLinux6.6.114 < 6.6.136affected
LinuxLinux6.12.55 < 6.12.83affected
LinuxLinux6.17.5 < 6.18affected
LinuxLinux6.18affected
LinuxLinux0 < 6.18unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.83 <= 6.12.*unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References