In the Linux kernel, the following vulnerability has been resolved:
slip: reject VJ receive packets on instances with no rstate array
slhcinit() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhcinit() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).
The receive helpers do not defend against that configuration. slhcuncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhcremember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslotlimit. Because rslotlimit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.
The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and pppgeneric.c ends up calling slhcinit(0, 1). Because /dev/ppp open is gated by nscapable(CAPNET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:slhcuncompress (drivers/net/slip/slhc.c:519) Call Trace: <TASK> pppreceivenonmpframe (drivers/net/ppp/pppgeneric.c:2466) pppinput (drivers/net/ppp/pppgeneric.c:2359) pppasyncprocess (drivers/net/ppp/pppasync.c:492) taskletactioncommon (kernel/softirq.c:926) handlesoftirqs (kernel/softirq.c:623) runksoftirqd (kernel/softirq.c:1055) smpbootthreadfn (kernel/smpboot.c:160) kthread (kernel/kthread.c:436) retfromfork (arch/x86/kernel/process.c:164) </TASK>
Reject the receive side on such instances instead of touching rstate. slhcuncompress() falls through to its existing 'bad' label, which bumps slsierror and enters the toss state. slhcremember() mirrors that with an explicit slsierror increment followed by slhctoss(); the slsi_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.
The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (pppgeneric.c) still supplies tslots >= 1, and slip.c always calls slhcinit(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45842.json",
"cna_assigner": "Linux"
}