Vulnerability-Lookup

CVE-2026-45842 (GCVE-0-2026-45842)

Vulnerability from cvelistv5 – Published: 2026-05-27 09:24 – Updated: 2026-05-27 09:24

Title

slip: reject VJ receive packets on instances with no rstate array

Summary

In the Linux kernel, the following vulnerability has been resolved: slip: reject VJ receive packets on instances with no rstate array slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress). The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate. The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519) Call Trace: <TASK> ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466) ppp_input (drivers/net/ppp/ppp_generic.c:2359) ppp_async_process (drivers/net/ppp/ppp_async.c:492) tasklet_action_common (kernel/softirq.c:926) handle_softirqs (kernel/softirq.c:623) run_ksoftirqd (kernel/softirq.c:1055) smpboot_thread_fn (kernel/smpboot.c:160) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:164) </TASK> Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet. The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.

Severity

No CVSS data available.

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/c6980e8b1a8628816…
https://git.kernel.org/stable/c/de42f86e2cf5028a9…
https://git.kernel.org/stable/c/9e1ff0eead073c4f4…
https://git.kernel.org/stable/c/7b0d9e878ec2b21d9…
https://git.kernel.org/stable/c/e76607442d5b73e1b…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < c6980e8b1a86288167f34966fa5219031999b6f1 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < de42f86e2cf5028a97e74c25869d1a962b13c301 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 9e1ff0eead073c4f46d874ad2526b7dda5465faf (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < 7b0d9e878ec2b21d99ae8051b3dda59cdb66c152 (git) Affected: 4ab42d78e37a294ac7bc56901d563c642e03c4ae , < e76607442d5b73e1ba6768f501ef815bb58c2c0e (git) Affected: 42fc512469e78939c1e419d3310c47de55bdcbb8 (git) Affected: df085f1cb3acd3d75408ff94f366983873bce7d2 (git) Affected: a1c3860d3c5fc62bd35f089bcb03f18a37242de9 (git) Affected: f82699de104eaf8a7ffc2849a566a94818dd8a3c (git) Affected: 354b254af5c1350de9586af75fe5a821b35bfb33 (git) Affected: 5148857f5d4c812cc918cf4627f7880521e987eb (git) Affected: 82185755d90c8047c6f4b589c39998ff3d4ca3ad (git) Affected: a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d (git) Affected: 6b4fa561e26526c62636414d267342c945084f44 (git) Affected: 2.6.32.70 , < 2.6.33 (semver) Affected: 3.2.75 , < 3.3 (semver) Affected: 3.4.111 , < 3.5 (semver) Affected: 3.10.96 , < 3.11 (semver) Affected: 3.12.53 , < 3.13 (semver) Affected: 3.14.60 , < 3.15 (semver) Affected: 3.18.27 , < 3.19 (semver) Affected: 4.1.17 , < 4.2 (semver) Affected: 4.3.5 , < 4.4 (semver)
Linux	Linux	Affected: 4.4 Unaffected: 0 , < 4.4 (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/slip/slhc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c6980e8b1a86288167f34966fa5219031999b6f1",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "de42f86e2cf5028a97e74c25869d1a962b13c301",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "9e1ff0eead073c4f46d874ad2526b7dda5465faf",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "7b0d9e878ec2b21d99ae8051b3dda59cdb66c152",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "lessThan": "e76607442d5b73e1ba6768f501ef815bb58c2c0e",
              "status": "affected",
              "version": "4ab42d78e37a294ac7bc56901d563c642e03c4ae",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "42fc512469e78939c1e419d3310c47de55bdcbb8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "df085f1cb3acd3d75408ff94f366983873bce7d2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a1c3860d3c5fc62bd35f089bcb03f18a37242de9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f82699de104eaf8a7ffc2849a566a94818dd8a3c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "354b254af5c1350de9586af75fe5a821b35bfb33",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5148857f5d4c812cc918cf4627f7880521e987eb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "82185755d90c8047c6f4b589c39998ff3d4ca3ad",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6b4fa561e26526c62636414d267342c945084f44",
              "versionType": "git"
            },
            {
              "lessThan": "2.6.33",
              "status": "affected",
              "version": "2.6.32.70",
              "versionType": "semver"
            },
            {
              "lessThan": "3.3",
              "status": "affected",
              "version": "3.2.75",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5",
              "status": "affected",
              "version": "3.4.111",
              "versionType": "semver"
            },
            {
              "lessThan": "3.11",
              "status": "affected",
              "version": "3.10.96",
              "versionType": "semver"
            },
            {
              "lessThan": "3.13",
              "status": "affected",
              "version": "3.12.53",
              "versionType": "semver"
            },
            {
              "lessThan": "3.15",
              "status": "affected",
              "version": "3.14.60",
              "versionType": "semver"
            },
            {
              "lessThan": "3.19",
              "status": "affected",
              "version": "3.18.27",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2",
              "status": "affected",
              "version": "4.1.17",
              "versionType": "semver"
            },
            {
              "lessThan": "4.4",
              "status": "affected",
              "version": "4.3.5",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/slip/slhc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.4"
            },
            {
              "lessThan": "4.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.32.70",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.4.111",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.96",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.53",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.60",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.1.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: reject VJ receive packets on instances with no rstate array\n\nslhc_init() accepts rslots == 0 as a valid configuration, with the\ndocumented meaning of \u0027no receive compression\u0027. In that case the\nallocation loop in slhc_init() is skipped, so comp-\u003erstate stays\nNULL and comp-\u003erslot_limit stays 0 (from the kzalloc of struct\nslcompress).\n\nThe receive helpers do not defend against that configuration.\nslhc_uncompress() dereferences comp-\u003erstate[x] when the VJ header\ncarries an explicit connection ID, and slhc_remember() later assigns\ncs = \u0026comp-\u003erstate[...] after only comparing the packet\u0027s slot number\nto comp-\u003erslot_limit. Because rslot_limit is 0, slot 0 passes the\nrange check, and the code dereferences a NULL rstate.\n\nThe configuration is reachable in-tree through PPP. PPPIOCSMAXCID\nstores its argument in a signed int, and (val \u003e\u003e 16) uses arithmetic\nshift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1\nis 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because\n/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path\nis reachable from an unprivileged user namespace. Once the malformed\nVJ state is installed, any inbound VJ-compressed or VJ-uncompressed\nframe that selects slot 0 crashes the kernel in softirq context:\n\n Oops: general protection fault, probably for non-canonical\n       address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)\n Call Trace:\n  \u003cTASK\u003e\n  ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)\n  ppp_input (drivers/net/ppp/ppp_generic.c:2359)\n  ppp_async_process (drivers/net/ppp/ppp_async.c:492)\n  tasklet_action_common (kernel/softirq.c:926)\n  handle_softirqs (kernel/softirq.c:623)\n  run_ksoftirqd (kernel/softirq.c:1055)\n  smpboot_thread_fn (kernel/smpboot.c:160)\n  kthread (kernel/kthread.c:436)\n  ret_from_fork (arch/x86/kernel/process.c:164)\n  \u003c/TASK\u003e\n\nReject the receive side on such instances instead of touching rstate.\nslhc_uncompress() falls through to its existing \u0027bad\u0027 label, which\nbumps sls_i_error and enters the toss state. slhc_remember() mirrors\nthat with an explicit sls_i_error increment followed by slhc_toss();\nthe sls_i_runt counter is not used here because a missing rstate is\nan internal configuration state, not a runt packet.\n\nThe transmit path is unaffected: the only in-tree caller that picks\nrslots from userspace (ppp_generic.c) still supplies tslots \u003e= 1, and\nslip.c always calls slhc_init(16, 16), so comp-\u003etstate remains valid\nand slhc_compress() continues to work."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:24:42.637Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152"
        },
        {
          "url": "https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e"
        }
      ],
      "title": "slip: reject VJ receive packets on instances with no rstate array",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45842",
    "datePublished": "2026-05-27T09:24:42.637Z",
    "dateReserved": "2026-05-13T15:03:33.078Z",
    "dateUpdated": "2026-05-27T09:24:42.637Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45842",
      "date": "2026-05-28",
      "epss": "0.00018",
      "percentile": "0.05152"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45842\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T11:16:23.600\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nslip: reject VJ receive packets on instances with no rstate array\\n\\nslhc_init() accepts rslots == 0 as a valid configuration, with the\\ndocumented meaning of \u0027no receive compression\u0027. In that case the\\nallocation loop in slhc_init() is skipped, so comp-\u003erstate stays\\nNULL and comp-\u003erslot_limit stays 0 (from the kzalloc of struct\\nslcompress).\\n\\nThe receive helpers do not defend against that configuration.\\nslhc_uncompress() dereferences comp-\u003erstate[x] when the VJ header\\ncarries an explicit connection ID, and slhc_remember() later assigns\\ncs = \u0026comp-\u003erstate[...] after only comparing the packet\u0027s slot number\\nto comp-\u003erslot_limit. Because rslot_limit is 0, slot 0 passes the\\nrange check, and the code dereferences a NULL rstate.\\n\\nThe configuration is reachable in-tree through PPP. PPPIOCSMAXCID\\nstores its argument in a signed int, and (val \u003e\u003e 16) uses arithmetic\\nshift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1\\nis 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because\\n/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path\\nis reachable from an unprivileged user namespace. Once the malformed\\nVJ state is installed, any inbound VJ-compressed or VJ-uncompressed\\nframe that selects slot 0 crashes the kernel in softirq context:\\n\\n Oops: general protection fault, probably for non-canonical\\n       address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\\n RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)\\n Call Trace:\\n  \u003cTASK\u003e\\n  ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)\\n  ppp_input (drivers/net/ppp/ppp_generic.c:2359)\\n  ppp_async_process (drivers/net/ppp/ppp_async.c:492)\\n  tasklet_action_common (kernel/softirq.c:926)\\n  handle_softirqs (kernel/softirq.c:623)\\n  run_ksoftirqd (kernel/softirq.c:1055)\\n  smpboot_thread_fn (kernel/smpboot.c:160)\\n  kthread (kernel/kthread.c:436)\\n  ret_from_fork (arch/x86/kernel/process.c:164)\\n  \u003c/TASK\u003e\\n\\nReject the receive side on such instances instead of touching rstate.\\nslhc_uncompress() falls through to its existing \u0027bad\u0027 label, which\\nbumps sls_i_error and enters the toss state. slhc_remember() mirrors\\nthat with an explicit sls_i_error increment followed by slhc_toss();\\nthe sls_i_runt counter is not used here because a missing rstate is\\nan internal configuration state, not a runt packet.\\n\\nThe transmit path is unaffected: the only in-tree caller that picks\\nrslots from userspace (ppp_generic.c) still supplies tslots \u003e= 1, and\\nslip.c always calls slhc_init(16, 16), so comp-\u003etstate remains valid\\nand slhc_compress() continues to work.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

FKIE_CVE-2026-45842

Vulnerability from fkie_nvd - Published: 2026-05-27 11:16 - Updated: 2026-05-27 14:48

Severity

Summary

References

	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: reject VJ receive packets on instances with no rstate array\n\nslhc_init() accepts rslots == 0 as a valid configuration, with the\ndocumented meaning of \u0027no receive compression\u0027. In that case the\nallocation loop in slhc_init() is skipped, so comp-\u003erstate stays\nNULL and comp-\u003erslot_limit stays 0 (from the kzalloc of struct\nslcompress).\n\nThe receive helpers do not defend against that configuration.\nslhc_uncompress() dereferences comp-\u003erstate[x] when the VJ header\ncarries an explicit connection ID, and slhc_remember() later assigns\ncs = \u0026comp-\u003erstate[...] after only comparing the packet\u0027s slot number\nto comp-\u003erslot_limit. Because rslot_limit is 0, slot 0 passes the\nrange check, and the code dereferences a NULL rstate.\n\nThe configuration is reachable in-tree through PPP. PPPIOCSMAXCID\nstores its argument in a signed int, and (val \u003e\u003e 16) uses arithmetic\nshift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1\nis 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because\n/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path\nis reachable from an unprivileged user namespace. Once the malformed\nVJ state is installed, any inbound VJ-compressed or VJ-uncompressed\nframe that selects slot 0 crashes the kernel in softirq context:\n\n Oops: general protection fault, probably for non-canonical\n       address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)\n Call Trace:\n  \u003cTASK\u003e\n  ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)\n  ppp_input (drivers/net/ppp/ppp_generic.c:2359)\n  ppp_async_process (drivers/net/ppp/ppp_async.c:492)\n  tasklet_action_common (kernel/softirq.c:926)\n  handle_softirqs (kernel/softirq.c:623)\n  run_ksoftirqd (kernel/softirq.c:1055)\n  smpboot_thread_fn (kernel/smpboot.c:160)\n  kthread (kernel/kthread.c:436)\n  ret_from_fork (arch/x86/kernel/process.c:164)\n  \u003c/TASK\u003e\n\nReject the receive side on such instances instead of touching rstate.\nslhc_uncompress() falls through to its existing \u0027bad\u0027 label, which\nbumps sls_i_error and enters the toss state. slhc_remember() mirrors\nthat with an explicit sls_i_error increment followed by slhc_toss();\nthe sls_i_runt counter is not used here because a missing rstate is\nan internal configuration state, not a runt packet.\n\nThe transmit path is unaffected: the only in-tree caller that picks\nrslots from userspace (ppp_generic.c) still supplies tslots \u003e= 1, and\nslip.c always calls slhc_init(16, 16), so comp-\u003etstate remains valid\nand slhc_compress() continues to work."
    }
  ],
  "id": "CVE-2026-45842",
  "lastModified": "2026-05-27T14:48:03.013",
  "metrics": {},
  "published": "2026-05-27T11:16:23.600",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}

GHSA-G2VJ-V28F-R7CF

Vulnerability from github – Published: 2026-05-27 12:31 – Updated: 2026-05-27 12:31

Details

In the Linux kernel, the following vulnerability has been resolved:

slip: reject VJ receive packets on instances with no rstate array

slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).

The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.

The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519) Call Trace: ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466) ppp_input (drivers/net/ppp/ppp_generic.c:2359) ppp_async_process (drivers/net/ppp/ppp_async.c:492) tasklet_action_common (kernel/softirq.c:926) handle_softirqs (kernel/softirq.c:623) run_ksoftirqd (kernel/softirq.c:1055) smpboot_thread_fn (kernel/smpboot.c:160) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:164)

Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.

The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-45842"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T11:16:23Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: reject VJ receive packets on instances with no rstate array\n\nslhc_init() accepts rslots == 0 as a valid configuration, with the\ndocumented meaning of \u0027no receive compression\u0027. In that case the\nallocation loop in slhc_init() is skipped, so comp-\u003erstate stays\nNULL and comp-\u003erslot_limit stays 0 (from the kzalloc of struct\nslcompress).\n\nThe receive helpers do not defend against that configuration.\nslhc_uncompress() dereferences comp-\u003erstate[x] when the VJ header\ncarries an explicit connection ID, and slhc_remember() later assigns\ncs = \u0026comp-\u003erstate[...] after only comparing the packet\u0027s slot number\nto comp-\u003erslot_limit. Because rslot_limit is 0, slot 0 passes the\nrange check, and the code dereferences a NULL rstate.\n\nThe configuration is reachable in-tree through PPP. PPPIOCSMAXCID\nstores its argument in a signed int, and (val \u003e\u003e 16) uses arithmetic\nshift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1\nis 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because\n/dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path\nis reachable from an unprivileged user namespace. Once the malformed\nVJ state is installed, any inbound VJ-compressed or VJ-uncompressed\nframe that selects slot 0 crashes the kernel in softirq context:\n\n Oops: general protection fault, probably for non-canonical\n       address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)\n Call Trace:\n  \u003cTASK\u003e\n  ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)\n  ppp_input (drivers/net/ppp/ppp_generic.c:2359)\n  ppp_async_process (drivers/net/ppp/ppp_async.c:492)\n  tasklet_action_common (kernel/softirq.c:926)\n  handle_softirqs (kernel/softirq.c:623)\n  run_ksoftirqd (kernel/softirq.c:1055)\n  smpboot_thread_fn (kernel/smpboot.c:160)\n  kthread (kernel/kthread.c:436)\n  ret_from_fork (arch/x86/kernel/process.c:164)\n  \u003c/TASK\u003e\n\nReject the receive side on such instances instead of touching rstate.\nslhc_uncompress() falls through to its existing \u0027bad\u0027 label, which\nbumps sls_i_error and enters the toss state. slhc_remember() mirrors\nthat with an explicit sls_i_error increment followed by slhc_toss();\nthe sls_i_runt counter is not used here because a missing rstate is\nan internal configuration state, not a runt packet.\n\nThe transmit path is unaffected: the only in-tree caller that picks\nrslots from userspace (ppp_generic.c) still supplies tslots \u003e= 1, and\nslip.c always calls slhc_init(16, 16), so comp-\u003etstate remains valid\nand slhc_compress() continues to work.",
  "id": "GHSA-g2vj-v28f-r7cf",
  "modified": "2026-05-27T12:31:24Z",
  "published": "2026-05-27T12:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45842"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

MSRC_CVE-2026-45842

Vulnerability from csaf_microsoft - Published: 2026-05-02 00:00 - Updated: 2026-05-28 01:09

Summary

slip: reject VJ receive packets on instances with no rstate array

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-45842

Affected products

Under investigation 1 product

Product	Identifier	Version	Remediation
Unresolved product id: 17084-1		—

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-45842 slip: reject VJ receive packets on instances with no rstate array - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-45842.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "slip: reject VJ receive packets on instances with no rstate array",
    "tracking": {
      "current_release_date": "2026-05-28T01:09:07.000Z",
      "generator": {
        "date": "2026-05-28T07:20:09.818Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-45842",
      "initial_release_date": "2026-05-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-05-28T01:09:07.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-45842",
      "notes": [
        {
          "category": "general",
          "text": "Linux",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "under_investigation": [
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-45842 slip: reject VJ receive packets on instances with no rstate array - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-45842.json"
        }
      ],
      "title": "slip: reject VJ receive packets on instances with no rstate array"
    }
  ]
}

WID-SEC-W-2026-1691

Vulnerability from csaf_certbund - Published: 2026-05-26 22:00 - Updated: 2026-05-27 22:00

Summary

Linux Kernel: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff: Ein entfernter Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Zustand oder andere Auswirkungen herbeizuführen.

Betroffene Betriebssysteme: - Linux

CVE-2026-45837

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-45838

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-45839

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-45840

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-45841

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-45842

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-45843

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-45844

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-45845

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-45846

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

References

13 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://lore.kernel.org/linux-cve-announce/	external
https://lore.kernel.org/linux-cve-announce/202605…	external
https://lore.kernel.org/linux-cve-announce/202605…	external
https://lore.kernel.org/linux-cve-announce/202605…	external
https://lore.kernel.org/linux-cve-announce/202605…	external
https://lore.kernel.org/linux-cve-announce/202605…	external
https://lore.kernel.org/linux-cve-announce/202605…	external
https://lore.kernel.org/linux-cve-announce/202605…	external
https://lore.kernel.org/linux-cve-announce/202605…	external
https://lore.kernel.org/linux-cve-announce/202605…	external
https://lore.kernel.org/linux-cve-announce/202605…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Zustand oder andere Auswirkungen herbeizuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1691 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1691.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1691 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1691"
      },
      {
        "category": "external",
        "summary": "Kernel CVE Announce Mailingliste",
        "url": "https://lore.kernel.org/linux-cve-announce/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-45837",
        "url": "https://lore.kernel.org/linux-cve-announce/2026052708-CVE-2026-45837-c50b@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-45838",
        "url": "https://lore.kernel.org/linux-cve-announce/2026052711-CVE-2026-45838-9c3b@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-45839",
        "url": "https://lore.kernel.org/linux-cve-announce/2026052712-CVE-2026-45839-44c7@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-45840",
        "url": "https://lore.kernel.org/linux-cve-announce/2026052712-CVE-2026-45840-cfc7@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-45841",
        "url": "https://lore.kernel.org/linux-cve-announce/2026052712-CVE-2026-45841-9575@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-45842",
        "url": "https://lore.kernel.org/linux-cve-announce/2026052712-CVE-2026-45842-71fc@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-45843",
        "url": "https://lore.kernel.org/linux-cve-announce/2026052713-CVE-2026-45843-7efb@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-45844",
        "url": "https://lore.kernel.org/linux-cve-announce/2026052713-CVE-2026-45844-703b@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-45845",
        "url": "https://lore.kernel.org/linux-cve-announce/2026052713-CVE-2026-45845-8dc4@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-45846",
        "url": "https://lore.kernel.org/linux-cve-announce/2026052713-CVE-2026-45846-ddca@gregkh/"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-27T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-28T06:45:42.982+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1691",
      "initial_release_date": "2026-05-26T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-26T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-27T22:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-32172, EUVD-2026-32171, EUVD-2026-32170, EUVD-2026-32169, EUVD-2026-32168, EUVD-2026-32166, EUVD-2026-32167, EUVD-2026-32165, EUVD-2026-32164, EUVD-2026-32163"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Linux Kernel",
            "product": {
              "name": "Open Source Linux Kernel",
              "product_id": "T053276",
              "product_identification_helper": {
                "cpe": "cpe:/o:linux:linux_kernel:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-45837",
      "product_status": {
        "known_affected": [
          "T053276"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-45837"
    },
    {
      "cve": "CVE-2026-45838",
      "product_status": {
        "known_affected": [
          "T053276"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-45838"
    },
    {
      "cve": "CVE-2026-45839",
      "product_status": {
        "known_affected": [
          "T053276"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-45839"
    },
    {
      "cve": "CVE-2026-45840",
      "product_status": {
        "known_affected": [
          "T053276"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-45840"
    },
    {
      "cve": "CVE-2026-45841",
      "product_status": {
        "known_affected": [
          "T053276"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-45841"
    },
    {
      "cve": "CVE-2026-45842",
      "product_status": {
        "known_affected": [
          "T053276"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-45842"
    },
    {
      "cve": "CVE-2026-45843",
      "product_status": {
        "known_affected": [
          "T053276"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-45843"
    },
    {
      "cve": "CVE-2026-45844",
      "product_status": {
        "known_affected": [
          "T053276"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-45844"
    },
    {
      "cve": "CVE-2026-45845",
      "product_status": {
        "known_affected": [
          "T053276"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-45845"
    },
    {
      "cve": "CVE-2026-45846",
      "product_status": {
        "known_affected": [
          "T053276"
        ]
      },
      "release_date": "2026-05-26T22:00:00.000+00:00",
      "title": "CVE-2026-45846"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45842 (GCVE-0-2026-45842)

FKIE_CVE-2026-45842

GHSA-G2VJ-V28F-R7CF

MSRC_CVE-2026-45842

WID-SEC-W-2026-1691

Tags

Sightings

Nomenclature