DEBIAN-CVE-2025-68775
- Source
- https://security-tracker.debian.org/tracker/CVE-2025-68775
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-68775.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-68775
- Upstream
- Published
- 2026-01-13T16:15:57.073Z
- Modified
- 2026-01-31T13:15:48.864715Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: net/handshake: duplicate handshake cancellations leak socket When a handshake request is cancelled it is removed from the handshakenet->hnrequests list, but it is still present in the handshakerhashtbl until it is destroyed. If a second cancellation request arrives for the same handshake request, then removepending() will return false... and assuming HANDSHAKEFREQCOMPLETED isn't set in req->hrflags, we'll continue processing through the outtrue label, where we put another reference on the sock and a refcount underflow occurs. This can happen for example if a handshake times out - particularly if the SUNRPC client sends the AUTHTLS probe to the server but doesn't follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xsresettransport(). When the timeout is hit on the client, another cancellation request happens via xstlshandshakesync(). Add a testandsetbit(HANDSHAKEFREQ_COMPLETED) in the pending cancel path so duplicate cancels can be detected.
- References
Affected packages
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.18.3-1