CVE Catalog

CVE-2026-45843

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile - higher than 20% of all known CVEs

Summary

In the Linux kernel, a vulnerability in the SLIP protocol implementation was found where decode() and pull16() functions do not bounds-check the compressed packet length. A short VJ frame can cause an out-of-bounds read, and the excess data is incorporated into the compression state and reflected in subsequent packets.

Risk Assessment

An attacker can send a crafted short VJ packet, causing an out-of-bounds memory read and potentially leaking sensitive data or destabilizing the system.

Recommendation

Immediately update the Linux kernel to a version containing the fix that adds bounds checking in decode() and pull16() and before the TCP checksum read.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS