Skip to main content

Linux Kernel EUVDEUVD-2026-32169

| CVE-2026-45843 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-58qm-9wwf-x958
8.2
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:22 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.2 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 11:16 nvd
HIGH 8.2
CVE Published
May 27, 2026 - 11:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

slip: bound decode() reads against the compressed packet length

slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.

A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.

Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.

AnalysisAI

Out-of-bounds read in the Linux kernel SLIP driver's VJ-compressed TCP header decoder (slhc_uncompress) allows a crafted short compressed frame to leak adjacent memory contents into the cached cstate and into subsequently reconstructed packets. The flaw affects systems using SLIP with Van Jacobson TCP/IP header compression; no public exploit has been identified at time of analysis and EPSS rates exploitation probability at 0.02%. The bug stems from missing bounds checks in decode() and pull16(), where the existing -1 error checks were dead code due to a 0xffff mask.

Technical ContextAI

SLIP (Serial Line Internet Protocol) is a legacy point-to-point encapsulation in the Linux networking stack (drivers/net/slip) that optionally supports Van Jacobson TCP/IP header compression (RFC 1144) via slhc.c. The slhc_uncompress() routine walks a compressed frame using decode() (variable-length integer parser) and pull16() (16-bit field reader) to reconstruct the original TCP header. Neither helper validated its pointer against the input buffer end (isize), and decode()'s return value was masked with & 0xffff, so the function could never return -1 - making the caller's '== -1' error checks unreachable. A change byte advertising optional fields can therefore cause the parser to walk past the end of the packet; the over-read bytes are folded into the per-connection cstate and emitted in later reconstructed packets, classifying this as an information-disclosure / out-of-bounds read (CWE-125 class, though CWE is not assigned in the input). The fix introduces an end pointer, returns -1 on exhaustion, and adds an explicit bounds check before the TCP checksum read.

RemediationAI

Apply the vendor-released patches for the relevant stable series: upgrade to Linux 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1-rc1, or later, using the upstream commits at https://git.kernel.org/stable/c/37537e42e6df387398bee85cb85070cc80bb1e10 and the four sibling commits listed in the references. For distribution kernels, install the next security update from your vendor once it incorporates these commits. If patching cannot be performed immediately, the most effective compensating control is to disable the SLIP driver entirely by blacklisting the slip and slhc modules (echo 'blacklist slip' and 'blacklist slhc' into /etc/modprobe.d/) or rebuilding the kernel without CONFIG_SLIP - the trade-off is loss of SLIP functionality, which is acceptable on virtually all modern deployments since SLIP is rarely used outside legacy serial or embedded environments. Where SLIP must remain, restrict which peers can establish slip interfaces (slattach is typically root-only) and avoid bridging SLIP interfaces to untrusted networks.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32169 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy