CVE-2026-45843

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
26/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> slip: bound decode() reads against the compressed packet length<br /> <br /> slhc_uncompress() parses a VJ-compressed TCP header by advancing a<br /> pointer through the packet via decode() and pull16(). Neither helper<br /> bounds-checks against isize, and decode() masks its return with<br /> &amp; 0xffff so it can never return the -1 that callers test for -- those<br /> error paths are dead code.<br /> <br /> A short compressed frame whose change byte requests optional fields<br /> lets decode() read past the end of the packet. The over-read bytes<br /> are folded into the cached cstate and reflected into subsequent<br /> reconstructed packets.<br /> <br /> Make decode() and pull16() take the packet end pointer and return -1<br /> when exhausted. Add a bounds check before the TCP-checksum read.<br /> The existing == -1 tests now do what they were always meant to.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.12.1 (including) 5.10.258 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.209 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.175 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.141 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.91 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.33 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.10 (excluding)
cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*