CVE-2025-68775
EUVD-2026-231813.01.2026, 16:15
In the Linux kernel, the following vulnerability has been resolved: net/handshake: duplicate handshake cancellations leak socket When a handshake request is cancelled it is removed from the handshake_net->hn_requests list, but it is still present in the handshake_rhashtbl until it is destroyed. If a second cancellation request arrives for the same handshake request, then remove_pending() will return false... and assuming HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue processing through the out_true label, where we put another reference on the sock and a refcount underflow occurs. This can happen for example if a handshake times out - particularly if the SUNRPC client sends the AUTH_TLS probe to the server but doesn't follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xs_reset_transport(). When the timeout is hit on the client, another cancellation request happens via xs_tls_handshake_sync(). Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel path so duplicate cancels can be detected.Enginsight
Awaiting analysis
This vulnerability is currently awaiting analysis.
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| cluster-md-kmp-default |
| ||||||||
| dlm-kmp-default |
| ||||||||
| gfs2-kmp-default |
| ||||||||
| kernel-64kb |
| ||||||||
| kernel-azure |
| ||||||||
| kernel-default |
| ||||||||
| kernel-default-base |
| ||||||||
| kernel-docs |
| ||||||||
| kernel-macros |
| ||||||||
| kernel-obs-build |
| ||||||||
| kernel-source |
| ||||||||
| kernel-source-azure |
| ||||||||
| kernel-syms |
| ||||||||
| kernel-syms-azure |
| ||||||||
| kernel-zfcpdump |
| ||||||||
| ocfs2-kmp-default |
| ||||||||
| reiserfs-kmp-default |
|