CVE-2026-45843
Analyzed Analyzed - Analysis Complete

SLIP Packet Length Bounds Read in Linux Kernel

Vulnerability report for CVE-2026-45843, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-06-26

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-06-26
Generated
2026-07-07
AI Q&A
2026-05-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel From 6.2 (inc) to 6.6.141 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's slip protocol implementation, specifically in the slipc_uncompress() function that parses VJ-compressed TCP headers. The decode() function reads data from compressed packets without proper bounds checking against the packet length, allowing it to read past the end of a short compressed frame. This causes an over-read of bytes which are then incorrectly folded into the cached connection state and reflected in subsequent reconstructed packets.

The root cause is that decode() masks its return value so it never returns -1, which callers expect to detect errors, making those error paths ineffective. The fix involves making decode() and pull16() functions take the packet end pointer and return -1 when they reach the end, enabling proper bounds checking and error handling.

Impact Analysis

This vulnerability can lead to the Linux kernel reading beyond the intended bounds of compressed network packets, potentially causing corrupted reconstructed TCP packets. This could result in network communication errors or unexpected behavior in applications relying on these packets.

Because the over-read bytes are folded into the cached connection state and reflected in subsequent packets, it may cause data integrity issues or unpredictable network traffic handling, which could be exploited or cause denial of service in some scenarios.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by modifying the decode() and pull16() functions to properly check packet boundaries and return -1 when exhausted, preventing out-of-bounds reads.

Therefore, the immediate step to mitigate this vulnerability is to update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45843. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart