Description
In the Linux kernel, the following vulnerability has been resolved:

slip: bound decode() reads against the compressed packet length

slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.

A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.

Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
Published: 2026-05-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the Linux kernel parses a VJ compressed TCP header without verifying the packet length. The helper functions decode() and pull16() advance a pointer beyond the end of the packet, causing an out‑of‑bounds read. Because the read values are merged into the compressor state, subsequent packets may expose data that was not intended to be visible. The lack of an error flag means the over‑read is not detected, leaving the flaw hidden until affected data flows into the state cache.

Affected Systems

All Linux kernel installations that support the SLIP protocol and use the VJ header compression algorithm are potentially impacted. No specific kernel release is listed, but the issue exists until the patch that adds bounds checking and error handling is applied to the slhc_uncompress() path.

Risk and Exploitability

The flaw can be triggered by a crafted compressed packet sent to a host over a network path that processes SLIP/VJ traffic. The likely attack vector is to deliver such a packet to the kernel, driving decode() to read beyond the packet boundary. Based on the description, it is inferred that the resulting over‑read bytes become part of the cached state, which may expose internal data. The CVSS score of 8.2 reflects high risk, and the EPSS score of <1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting that known exploitation is limited.

Generated by OpenCVE AI on May 30, 2026 at 13:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Linux kernel update that includes the fix for slhc_uncompress().
  • Disable VJ TCP header compression for SLIP connections by setting the appropriate sysctl parameters or recompiling the kernel without SLIP support.
  • Monitor kernel logs for any anomalous packets and verify that the buffer over‑read error does not occur.

Generated by OpenCVE AI on May 30, 2026 at 13:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Thu, 28 May 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.
Title slip: bound decode() reads against the compressed packet length
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:46:20.617Z

Reserved: 2026-05-13T15:03:33.078Z

Link: CVE-2026-45843

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T11:16:23.743

Modified: 2026-06-01T17:17:14.660

Link: CVE-2026-45843

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45843 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T13:15:24Z

Weaknesses