CVE-2025-68775

EPSS 0.03%
Veröffentlicht 13.01.2026 15:28:52
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

net/handshake: duplicate handshake cancellations leak socket

In the Linux kernel, the following vulnerability has been resolved:

net/handshake: duplicate handshake cancellations leak socket

When a handshake request is cancelled it is removed from the
handshake_net->hn_requests list, but it is still present in the
handshake_rhashtbl until it is destroyed.

If a second cancellation request arrives for the same handshake request,
then remove_pending() will return false... and assuming
HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue
processing through the out_true label, where we put another reference on
the sock and a refcount underflow occurs.

This can happen for example if a handshake times out - particularly if
the SUNRPC client sends the AUTH_TLS probe to the server but doesn't
follow it up with the ClientHello due to a problem with tlshd.  When the
timeout is hit on the server, the server will send a FIN, which triggers
a cancellation request via xs_reset_transport().  When the timeout is
hit on the client, another cancellation request happens via
xs_tls_handshake_sync().

Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel
path so duplicate cancels can be detected.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 7

CNA 2 VulnDex Vulnerability Enrichment 6

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version 3b3009ea8abb713b022d94fba95ec270cf6e7eae

Version < 011ae80c49d9bfa5b4336f8bd387cd25c7593663

Status affected

Version 3b3009ea8abb713b022d94fba95ec270cf6e7eae

Version < e1641177e7fb48a0a5a06658d4aab51da6656659

Status affected

Version 3b3009ea8abb713b022d94fba95ec270cf6e7eae

Version < 3c330f1dee3cd92b57e19b9d21dc8ce5970b09be

Status affected

Version 3b3009ea8abb713b022d94fba95ec270cf6e7eae

Version < 15564bd67e2975002f2a8e9defee33e321d3183f

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 6.4

Status affected

Version 0

Version < 6.4

Status unaffected

Version <= 6.6.*

Version 6.6.120

Status unaffected

Version <= 6.12.*

Version 6.12.64

Status unaffected

Version <= 6.18.*

Version 6.18.3

Status unaffected

Version <= *

Version 6.19

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.102

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/011ae80c49d9bfa5b4336f8bd387cd25c7593663

https://git.kernel.org/stable/c/e1641177e7fb48a0a5a06658d4aab51da6656659

https://git.kernel.org/stable/c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be

https://git.kernel.org/stable/c/15564bd67e2975002f2a8e9defee33e321d3183f

https://nvd.nist.gov/vuln/detail/CVE-2025-68775

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68775

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68775

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-68775