HIGH
slip VJCompress OOB
CVE-2026-45843
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
KernelScan AI6.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.
02KernelScan AI Analysis
Risk summary
Systems using SLIP protocol for serial line connections are vulnerable to out-of-bounds memory reads when processing malformed VJ-compressed TCP packets. Attackers can send crafted packets to leak kernel memory into cached connection state and corrupt subsequent packet reconstruction.
Vulnerability analysis
The vulnerability exists in Van Jacobson TCP header compression parsing within the SLIP driver. The decode() and pull16() functions advance through compressed packets without bounds checking against packet length, and decode() masks return values preventing error detection. A short compressed frame requesting optional fields causes reads beyond packet boundaries, incorporating adjacent memory into cached connection state and reflecting it into subsequent reconstructed packets. The fix adds proper bounds checking and restores error handling functionality.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 6268f01ae989 |
| 5.15 | 5.15.209 | 9aafba2f49e1 |
| 6.1 | 6.1.175 | 335957df4ed6 |
| 6.12 | 6.12.91 | 4cefe3263993 |
| 6.18 | 6.18.33 | 0511ecb00e61 |
| 6.6 | 6.6.141 | 37537e42e6df |
| 7.0 | 7.0.10 | d42bec6e4f6d |
| mainline | 7.1-rc1 | 4c1367a2d7aa |