ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
https://lists.freedesktop.org/archives/slirp/2020-November/000115.html
https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html