CVE-2026-45843
Received Received - Intake
SLIP Packet Length Bounds Read in Linux Kernel

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-45843
EUVD
EUVD-2026-32169
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's slip protocol implementation, specifically in the slipc_uncompress() function that parses VJ-compressed TCP headers. The decode() function reads data from compressed packets without proper bounds checking against the packet length, allowing it to read past the end of a short compressed frame. This causes an over-read of bytes which are then incorrectly folded into the cached connection state and reflected in subsequent reconstructed packets.

The root cause is that decode() masks its return value so it never returns -1, which callers expect to detect errors, making those error paths ineffective. The fix involves making decode() and pull16() functions take the packet end pointer and return -1 when they reach the end, enabling proper bounds checking and error handling.


How can this vulnerability impact me? :

This vulnerability can lead to the Linux kernel reading beyond the intended bounds of compressed network packets, potentially causing corrupted reconstructed TCP packets. This could result in network communication errors or unexpected behavior in applications relying on these packets.

Because the over-read bytes are folded into the cached connection state and reflected in subsequent packets, it may cause data integrity issues or unpredictable network traffic handling, which could be exploited or cause denial of service in some scenarios.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by modifying the decode() and pull16() functions to properly check packet boundaries and return -1 when exhausted, preventing out-of-bounds reads.

Therefore, the immediate step to mitigate this vulnerability is to update your Linux kernel to a version that includes this fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart