CVE-2026-45843

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The slhc uncompress() function parses VJ-compressed TCP headers by advancing a pointer through the packet using decode() and pull16(). These helper functions do not perform bounds-checks against the packet size isize. Additionally, decode() masks its return value with & 0xffff, preventing it from returning -1, which renders the error-handling paths in the calling functions unreachable. A short compressed frame requesting optional fields allows decode() to read past the end of the packet. These over-read bytes are then incorporated into the cached cstate and affect subsequent reconstructed packets.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.