{"id":"AZL-74456","summary":"CVE-2025-68775 affecting package kernel for versions less than 6.6.121.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: duplicate handshake cancellations leak socket\n\nWhen a handshake request is cancelled it is removed from the\nhandshake_net-\u003ehn_requests list, but it is still present in the\nhandshake_rhashtbl until it is destroyed.\n\nIf a second cancellation request arrives for the same handshake request,\nthen remove_pending() will return false... and assuming\nHANDSHAKE_F_REQ_COMPLETED isn't set in req-\u003ehr_flags, we'll continue\nprocessing through the out_true label, where we put another reference on\nthe sock and a refcount underflow occurs.\n\nThis can happen for example if a handshake times out - particularly if\nthe SUNRPC client sends the AUTH_TLS probe to the server but doesn't\nfollow it up with the ClientHello due to a problem with tlshd.  When the\ntimeout is hit on the server, the server will send a FIN, which triggers\na cancellation request via xs_reset_transport().  When the timeout is\nhit on the client, another cancellation request happens via\nxs_tls_handshake_sync().\n\nAdd a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel\npath so duplicate cancels can be detected.","modified":"2026-04-01T05:22:43.311184Z","published":"2026-01-13T16:15:57Z","upstream":["CVE-2025-68775"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68775"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.121.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-74456.json"}}],"schema_version":"1.7.5"}