CVE-2026-45843
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk20th percentile - higher than 20% of all known CVEs
Summary
In the Linux kernel, a vulnerability in the SLIP protocol implementation was found where decode() and pull16() functions do not bounds-check the compressed packet length. A short VJ frame can cause an out-of-bounds read, and the excess data is incorporated into the compression state and reflected in subsequent packets.
Risk Assessment
An attacker can send a crafted short VJ packet, causing an out-of-bounds memory read and potentially leaking sensitive data or destabilizing the system.
Recommendation
Immediately update the Linux kernel to a version containing the fix that adds bounds checking in decode() and pull16() and before the TCP checksum read.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.

