Description
In the Linux kernel, the following vulnerability has been resolved:

slip: bound decode() reads against the compressed packet length

slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.

A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.

Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the Linux kernel parses a VJ compressed TCP header without verifying the packet length. The helper functions decode() and pull16() advance a pointer beyond the end of the packet, causing an out‑of‑bounds read. Because the read values are merged into the compressor state, subsequent packets may expose data that was not intended to be visible. The lack of an error flag means the over‑read is not detected, leaving the flaw hidden until affected data flows into the state cache.

Affected Systems

All Linux kernel installations that support the SLIP protocol and use the VJ header compression algorithm are potentially impacted. No specific kernel release is listed, but the issue exists until the patch that adds bounds checking and error handling is applied to the slhc_uncompress() path.

Risk and Exploitability

This flaw can be triggered by a crafted compressed packet sent to a host over a network path that processes SLIP/VJ traffic. An attacker could remotely supply malicious frames to coerce kernel read beyond the packet boundary. The read could leak internal kernel data and, if combined with additional weaknesses, could lead to denial of service or privilege escalation. The exact CVSS score is not provided, but the EPSS is not available and the vulnerability is not yet in the KEV catalog, indicating limited publicly known exploitation, yet the nature of the flaw warrants immediate patching.

Generated by OpenCVE AI on May 27, 2026 at 11:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Linux kernel update that includes the fix for slhc_uncompress().
  • Disable VJ TCP header compression for SLIP connections by setting the appropriate sysctl parameters or recompiling the kernel without SLIP support.
  • Monitor kernel logs for any anomalous packets and verify that the buffer over‑read error does not occur.

Generated by OpenCVE AI on May 27, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.
Title slip: bound decode() reads against the compressed packet length
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T09:24:45.516Z

Reserved: 2026-05-13T15:03:33.078Z

Link: CVE-2026-45843

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:23.743

Modified: 2026-05-27T11:16:23.743

Link: CVE-2026-45843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:45:15Z

Weaknesses

No weakness.