8.2

CVE-2026-45843

slip: bound decode() reads against the compressed packet length

In the Linux kernel, the following vulnerability has been resolved:

slip: bound decode() reads against the compressed packet length

slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.

A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.

Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.12.1 < 5.10.258
LinuxLinux Kernel Version >= 5.11 < 5.15.209
LinuxLinux Kernel Version >= 5.16 < 6.1.175
LinuxLinux Kernel Version >= 6.2 < 6.6.141
LinuxLinux Kernel Version >= 6.7 < 6.12.91
LinuxLinux Kernel Version >= 6.13 < 6.18.33
LinuxLinux Kernel Version >= 6.19 < 7.0.10
LinuxLinux Kernel Version2.6.12 Update-
LinuxLinux Kernel Version2.6.12 Updaterc2
LinuxLinux Kernel Version2.6.12 Updaterc3
LinuxLinux Kernel Version2.6.12 Updaterc4
LinuxLinux Kernel Version2.6.12 Updaterc5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.193
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 8.2 3.9 4.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/37537e42e6df387398bee85cb85070cc80bb1e10
Patch
https://git.kernel.org/stable/c/4cefe32639933d652614b0bd50f818f9af4af78f
Patch
https://git.kernel.org/stable/c/0511ecb00e61bf28e2fec4bb41fcce385c3a3b2d
Patch
https://git.kernel.org/stable/c/d42bec6e4f6d6d658be365539400b3314b76b2a7
Patch
https://git.kernel.org/stable/c/4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7
Patch
https://git.kernel.org/stable/c/335957df4ed60f02a2ec0432fbedbf0cc7241d8b
Patch
https://git.kernel.org/stable/c/6268f01ae989013671b526c883e92655342c6f6f
Patch
https://git.kernel.org/stable/c/9aafba2f49e1fcccc2018816f5836a609c925879
Patch