{"id":"CVE-2025-68775","summary":"net/handshake: duplicate handshake cancellations leak socket","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: duplicate handshake cancellations leak socket\n\nWhen a handshake request is cancelled it is removed from the\nhandshake_net-\u003ehn_requests list, but it is still present in the\nhandshake_rhashtbl until it is destroyed.\n\nIf a second cancellation request arrives for the same handshake request,\nthen remove_pending() will return false... and assuming\nHANDSHAKE_F_REQ_COMPLETED isn't set in req-\u003ehr_flags, we'll continue\nprocessing through the out_true label, where we put another reference on\nthe sock and a refcount underflow occurs.\n\nThis can happen for example if a handshake times out - particularly if\nthe SUNRPC client sends the AUTH_TLS probe to the server but doesn't\nfollow it up with the ClientHello due to a problem with tlshd.  When the\ntimeout is hit on the server, the server will send a FIN, which triggers\na cancellation request via xs_reset_transport().  When the timeout is\nhit on the client, another cancellation request happens via\nxs_tls_handshake_sync().\n\nAdd a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel\npath so duplicate cancels can be detected.","modified":"2026-03-31T17:30:00.262714Z","published":"2026-01-13T15:28:52.069Z","related":["MGASA-2026-0017","MGASA-2026-0018","SUSE-SU-2026:0447-1","SUSE-SU-2026:0471-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68775.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/011ae80c49d9bfa5b4336f8bd387cd25c7593663"},{"type":"WEB","url":"https://git.kernel.org/stable/c/15564bd67e2975002f2a8e9defee33e321d3183f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e1641177e7fb48a0a5a06658d4aab51da6656659"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68775.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68775"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3b3009ea8abb713b022d94fba95ec270cf6e7eae"},{"fixed":"011ae80c49d9bfa5b4336f8bd387cd25c7593663"},{"fixed":"e1641177e7fb48a0a5a06658d4aab51da6656659"},{"fixed":"3c330f1dee3cd92b57e19b9d21dc8ce5970b09be"},{"fixed":"15564bd67e2975002f2a8e9defee33e321d3183f"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68775.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.4.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68775.json"}}],"schema_version":"1.7.5"}