FKIE_CVE-2026-45842

Vulnerability from fkie_nvd - Published: 2026-05-27 11:16 - Updated: 2026-06-26 18:51
Summary
In the Linux kernel, the following vulnerability has been resolved: slip: reject VJ receive packets on instances with no rstate array slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress). The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate. The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519) Call Trace: <TASK> ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466) ppp_input (drivers/net/ppp/ppp_generic.c:2359) ppp_async_process (drivers/net/ppp/ppp_async.c:492) tasklet_action_common (kernel/softirq.c:926) handle_softirqs (kernel/softirq.c:623) run_ksoftirqd (kernel/softirq.c:1055) smpboot_thread_fn (kernel/smpboot.c:160) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:164) </TASK> Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet. The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/slip/slhc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3d71c961febddd855d3ae9a519eeb96c8023f430",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "72304fec672e8aac9ee7b9c475db96b37cca8d8d",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "4aa9eca6fda2919027dfd7a7cc69334982d89586",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "c6980e8b1a86288167f34966fa5219031999b6f1",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "de42f86e2cf5028a97e74c25869d1a962b13c301",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "9e1ff0eead073c4f46d874ad2526b7dda5465faf",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "7b0d9e878ec2b21d99ae8051b3dda59cdb66c152",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "e76607442d5b73e1ba6768f501ef815bb58c2c0e",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "42fc512469e78939c1e419d3310c47de55bdcbb8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "df085f1cb3acd3d75408ff94f366983873bce7d2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a1c3860d3c5fc62bd35f089bcb03f18a37242de9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f82699de104eaf8a7ffc2849a566a94818dd8a3c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "354b254af5c1350de9586af75fe5a821b35bfb33",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5148857f5d4c812cc918cf4627f7880521e987eb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "82185755d90c8047c6f4b589c39998ff3d4ca3ad",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6b4fa561e26526c62636414d267342c945084f44",
              "versionType": "git"
            },
            {
              "lessThan": "2.6.33",
              "status": "affected",
              "version": "2.6.32.70",
              "versionType": "semver"
            },
            {
              "lessThan": "3.3",
              "status": "affected",
              "version": "3.2.75",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5",
              "status": "affected",
              "version": "3.4.111",
              "versionType": "semver"
            },
            {
              "lessThan": "3.11",
              "status": "affected",
              "version": "3.10.96",
              "versionType": "semver"
            },
            {
              "lessThan": "3.13",
              "status": "affected",
              "version": "3.12.53",
              "versionType": "semver"
            },
            {
              "lessThan": "3.15",
              "status": "affected",
              "version": "3.14.60",
              "versionType": "semver"
            },
            {
              "lessThan": "3.19",
              "status": "affected",
              "version": "3.18.27",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2",
              "status": "affected",
              "version": "4.1.17",
              "versionType": "semver"
            },
            {
              "lessThan": "4.4",
              "status": "affected",
              "version": "4.3.5",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/slip/slhc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.4"
            },
            {
              "lessThan": "4.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "77E401B1-6C5C-4412-A4F3-41A8860E2C08",
              "versionEndExcluding": "2.6.33",
              "versionStartIncluding": "2.6.32.70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5638A0E8-3156-4172-8646-A06234434789",
              "versionEndExcluding": "3.3",
              "versionStartIncluding": "3.2.75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E52E1F3C-10B4-4F40-8A2A-9594BC2B215D",
              "versionEndExcluding": "3.5",
              "versionStartIncluding": "3.4.111",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2D30AFF3-EA15-42C2-A3E0-8D98B6C41B08",
              "versionEndExcluding": "3.11",
              "versionStartIncluding": "3.10.96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9F77506-D3BD-4C42-B6B3-A840F55A368C",
              "versionEndExcluding": "3.13",
              "versionStartIncluding": "3.12.53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5194146E-93C8-405F-8D58-440F1FF8D1F0",
              "versionEndExcluding": "3.15",
              "versionStartIncluding": "3.14.60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "14D92A66-8C70-4279-97AA-2054416F1C44",
              "versionEndExcluding": "3.19",
              "versionStartIncluding": "3.18.27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2E107F1-35B3-421F-8885-96D2886DA0D5",
              "versionEndExcluding": "4.2",
              "versionStartIncluding": "4.1.17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B091096A-4826-42F7-B5C8-50217550B8B1",
              "versionEndExcluding": "5.10.258",
              "versionStartIncluding": "4.3.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "919C10A9-7951-4A74-BADD-C135A0A8D8B4",
              "versionEndExcluding": "5.15.209",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "92385813-D91D-480D-83A1-F423D2CBB2BA",
              "versionEndExcluding": "6.1.175",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A9FFFA-22BB-4D5C-9790-5A2286E392F7",
              "versionEndExcluding": "6.6.141",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C918746B-DE6F-448F-A93E-A04C5481688D",
              "versionEndExcluding": "6.12.91",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "96D99E49-380D-43AB-BDBA-25C3AD018A9C",
              "versionEndExcluding": "6.18.33",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A13475D2-59BF-4716-94B5-7C1D239A2CF4",
              "versionEndExcluding": "7.0.10",
              "versionStartIncluding": "6.19",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: reject VJ receive packets on instances with no rstate array\n\nslhc_init() accepts rslots == 0 as a valid configuration, with the\ndocumented meaning of \u0027no receive compression\u0027. In that case the\nallocation loop in slhc_init() is skipped, so comp-\u003erstate stays\nNULL and comp-\u003erslot_limit stays 0 (from the kzalloc of struct\nslcompress).\n\nThe receive helpers do not defend against that configuration.\nslhc_uncompress() dereferences comp-\u003erstate[x] when the VJ header\ncarries an explicit connection ID, and slhc_remember() later assigns\ncs = \u0026comp-\u003erstate[...] after only comparing the packet\u0027s slot number\nto comp-\u003erslot_limit. Because rslot_limit is 0, slot 0 passes the\nrange check, and the code dereferences a NULL rstate.\n\nThe configuration is reachable in-tree through PPP. PPPIOCSMAXCID\nstores its argument in a signed int, and (val \u003e\u003e 16) uses arithmetic\nshift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1\nis 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because\n/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path\nis reachable from an unprivileged user namespace. Once the malformed\nVJ state is installed, any inbound VJ-compressed or VJ-uncompressed\nframe that selects slot 0 crashes the kernel in softirq context:\n\n Oops: general protection fault, probably for non-canonical\n       address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)\n Call Trace:\n  \u003cTASK\u003e\n  ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)\n  ppp_input (drivers/net/ppp/ppp_generic.c:2359)\n  ppp_async_process (drivers/net/ppp/ppp_async.c:492)\n  tasklet_action_common (kernel/softirq.c:926)\n  handle_softirqs (kernel/softirq.c:623)\n  run_ksoftirqd (kernel/softirq.c:1055)\n  smpboot_thread_fn (kernel/smpboot.c:160)\n  kthread (kernel/kthread.c:436)\n  ret_from_fork (arch/x86/kernel/process.c:164)\n  \u003c/TASK\u003e\n\nReject the receive side on such instances instead of touching rstate.\nslhc_uncompress() falls through to its existing \u0027bad\u0027 label, which\nbumps sls_i_error and enters the toss state. slhc_remember() mirrors\nthat with an explicit sls_i_error increment followed by slhc_toss();\nthe sls_i_runt counter is not used here because a missing rstate is\nan internal configuration state, not a runt packet.\n\nThe transmit path is unaffected: the only in-tree caller that picks\nrslots from userspace (ppp_generic.c) still supplies tslots \u003e= 1, and\nslip.c always calls slhc_init(16, 16), so comp-\u003etstate remains valid\nand slhc_compress() continues to work."
    }
  ],
  "id": "CVE-2026-45842",
  "lastModified": "2026-06-26T18:51:05.930",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-05-27T11:16:23.600",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3d71c961febddd855d3ae9a519eeb96c8023f430"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/4aa9eca6fda2919027dfd7a7cc69334982d89586"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/72304fec672e8aac9ee7b9c475db96b37cca8d8d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…