Copyright © 2012 Red Hat, Inc. All rights reserved.
Moderate
2026-05-27T00:00:00
kernel: slip: bound decode() reads against the compressed packet length
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-125
In the Linux kernel, the following vulnerability has been resolved:
slip: bound decode() reads against the compressed packet length
slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.
A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.
Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
A flaw was found in the Linux kernel's Serial Line Internet Protocol (SLIP) implementation. The `slhc_uncompress()` function, which handles VJ-compressed TCP headers, fails to perform proper bounds checks during packet processing. A remote attacker could exploit this by sending a specially crafted compressed frame, causing an out-of-bounds read. This vulnerability may lead to information disclosure or data corruption in subsequent reconstructed packets.
Red Hat Enterprise Linux 10
Fix deferred
kernel
Red Hat Enterprise Linux 6
Not affected
kernel
Red Hat Enterprise Linux 7
Fix deferred
kernel
Red Hat Enterprise Linux 7
Fix deferred
kernel-rt
Red Hat Enterprise Linux 8
Fix deferred
kernel
Red Hat Enterprise Linux 8
Fix deferred
kernel-rt
Red Hat Enterprise Linux 9
Fix deferred
kernel
Red Hat Enterprise Linux 9
Fix deferred
kernel-rt
https://www.cve.org/CVERecord?id=CVE-2026-45843
https://nvd.nist.gov/vuln/detail/CVE-2026-45843
https://lore.kernel.org/linux-cve-announce/2026052713-CVE-2026-45843-7efb@gregkh/T