CVE-2026-45843

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> slip: bound decode() reads against the compressed packet length<br /> <br /> slhc_uncompress() parses a VJ-compressed TCP header by advancing a<br /> pointer through the packet via decode() and pull16(). Neither helper<br /> bounds-checks against isize, and decode() masks its return with<br /> &amp; 0xffff so it can never return the -1 that callers test for -- those<br /> error paths are dead code.<br /> <br /> A short compressed frame whose change byte requests optional fields<br /> lets decode() read past the end of the packet. The over-read bytes<br /> are folded into the cached cstate and reflected into subsequent<br /> reconstructed packets.<br /> <br /> Make decode() and pull16() take the packet end pointer and return -1<br /> when exhausted. Add a bounds check before the TCP-checksum read.<br /> The existing == -1 tests now do what they were always meant to.