CVE-2026-45843

Published: May 27, 2026

Modified: Jun 1, 2026

PUBLISHED

CVSS v3.1

8.2

HIGH

Description

In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.

Vendor	Product	Versions
Linux	Linux	affected `1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < 6268f01ae989013671b526c883e92655342c6f6f` affected `1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < 9aafba2f49e1fcccc2018816f5836a609c925879` affected `1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < 335957df4ed60f02a2ec0432fbedbf0cc7241d8b` affected `1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < 37537e42e6df387398bee85cb85070cc80bb1e10` affected `1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < 4cefe32639933d652614b0bd50f818f9af4af78f` +3 more versions
Linux	Linux	affected `2.6.12` unaffected `0 - < 2.6.12` unaffected `5.10.258 - <= 5.10.` unaffected `5.15.209 - <= 5.15.` unaffected `6.1.175 - <= 6.1.*` +5 more versions