CVE-2025-68775
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-13

Last updated on: 2026-01-14

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/handshake: duplicate handshake cancellations leak socket When a handshake request is cancelled it is removed from the handshake_net->hn_requests list, but it is still present in the handshake_rhashtbl until it is destroyed. If a second cancellation request arrives for the same handshake request, then remove_pending() will return false... and assuming HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue processing through the out_true label, where we put another reference on the sock and a refcount underflow occurs. This can happen for example if a handshake times out - particularly if the SUNRPC client sends the AUTH_TLS probe to the server but doesn't follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xs_reset_transport(). When the timeout is hit on the client, another cancellation request happens via xs_tls_handshake_sync(). Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel path so duplicate cancels can be detected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-14
Generated
2026-05-07
AI Q&A
2026-01-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68775
EUVD
EUVD-2026-2318
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves the handling of handshake cancellations in the network handshake code. When a handshake request is cancelled, it is removed from one list but remains in another until destroyed. If a second cancellation request for the same handshake arrives, the code incorrectly processes it, leading to a reference count underflow by adding an extra reference to the socket. This can occur, for example, when a handshake times out, causing duplicate cancellation requests from client and server sides. The fix involves detecting duplicate cancellations to prevent this issue.


How can this vulnerability impact me? :

The vulnerability can lead to a reference count underflow in the Linux kernel's network handshake code, which may cause memory corruption or instability in the kernel. This could potentially be exploited to cause denial of service or other unpredictable behavior in systems using the affected Linux kernel.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart