CVE-2026-45842
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-476
Desreferencia a puntero nulo (NULL)
Fecha de publicación:
27/05/2026
Última modificación:
26/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
slip: reject VJ receive packets on instances with no rstate array<br />
<br />
slhc_init() accepts rslots == 0 as a valid configuration, with the<br />
documented meaning of &#39;no receive compression&#39;. In that case the<br />
allocation loop in slhc_init() is skipped, so comp->rstate stays<br />
NULL and comp->rslot_limit stays 0 (from the kzalloc of struct<br />
slcompress).<br />
<br />
The receive helpers do not defend against that configuration.<br />
slhc_uncompress() dereferences comp->rstate[x] when the VJ header<br />
carries an explicit connection ID, and slhc_remember() later assigns<br />
cs = &comp->rstate[...] after only comparing the packet&#39;s slot number<br />
to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the<br />
range check, and the code dereferences a NULL rstate.<br />
<br />
The configuration is reachable in-tree through PPP. PPPIOCSMAXCID<br />
stores its argument in a signed int, and (val >> 16) uses arithmetic<br />
shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1<br />
is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because<br />
/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path<br />
is reachable from an unprivileged user namespace. Once the malformed<br />
VJ state is installed, any inbound VJ-compressed or VJ-uncompressed<br />
frame that selects slot 0 crashes the kernel in softirq context:<br />
<br />
Oops: general protection fault, probably for non-canonical<br />
address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI<br />
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br />
RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)<br />
Call Trace:<br />
<br />
ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)<br />
ppp_input (drivers/net/ppp/ppp_generic.c:2359)<br />
ppp_async_process (drivers/net/ppp/ppp_async.c:492)<br />
tasklet_action_common (kernel/softirq.c:926)<br />
handle_softirqs (kernel/softirq.c:623)<br />
run_ksoftirqd (kernel/softirq.c:1055)<br />
smpboot_thread_fn (kernel/smpboot.c:160)<br />
kthread (kernel/kthread.c:436)<br />
ret_from_fork (arch/x86/kernel/process.c:164)<br />
<br />
<br />
Reject the receive side on such instances instead of touching rstate.<br />
slhc_uncompress() falls through to its existing &#39;bad&#39; label, which<br />
bumps sls_i_error and enters the toss state. slhc_remember() mirrors<br />
that with an explicit sls_i_error increment followed by slhc_toss();<br />
the sls_i_runt counter is not used here because a missing rstate is<br />
an internal configuration state, not a runt packet.<br />
<br />
The transmit path is unaffected: the only in-tree caller that picks<br />
rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and<br />
slip.c always calls slhc_init(16, 16), so comp->tstate remains valid<br />
and slhc_compress() continues to work.
Impacto
Puntuación base 3.x
5.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.32.70 (incluyendo) | 2.6.33 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.2.75 (incluyendo) | 3.3 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.4.111 (incluyendo) | 3.5 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.10.96 (incluyendo) | 3.11 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.12.53 (incluyendo) | 3.13 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.14.60 (incluyendo) | 3.15 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.18.27 (incluyendo) | 3.19 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.1.17 (incluyendo) | 4.2 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.3.5 (incluyendo) | 5.10.258 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (incluyendo) | 5.15.209 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (incluyendo) | 6.1.175 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (incluyendo) | 6.6.141 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.91 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.33 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.10 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/3d71c961febddd855d3ae9a519eeb96c8023f430
- https://git.kernel.org/stable/c/4aa9eca6fda2919027dfd7a7cc69334982d89586
- https://git.kernel.org/stable/c/72304fec672e8aac9ee7b9c475db96b37cca8d8d
- https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152
- https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf
- https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1
- https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301
- https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e



