Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68775

CVE-2025-68775: Linux Kernel Privilege Escalation Flaw

CVE-2025-68775 is a privilege escalation vulnerability in the Linux kernel's net/handshake component that causes socket leaks through duplicate cancellation requests. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-68775 Overview

A vulnerability has been identified in the Linux kernel's network handshake subsystem (net/handshake) that causes a socket leak and reference count underflow when duplicate handshake cancellations occur. The flaw exists in the handling of cancelled handshake requests where a request removed from the handshake_net->hn_requests list remains present in the handshake_rhashtbl until destruction.

Critical Impact

Duplicate cancellation requests can trigger reference count underflow on the socket, potentially leading to memory corruption, denial of service, or use-after-free conditions in kernel networking code.

Affected Products

  • Linux Kernel (net/handshake subsystem)
  • Systems using SUNRPC with TLS handshake support
  • Systems utilizing AUTH_TLS probe mechanisms

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-68775 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68775

Vulnerability Analysis

This vulnerability represents a reference count (refcount) underflow condition in the Linux kernel's handshake cancellation logic. The root issue stems from improper state management when processing duplicate cancellation requests for the same handshake operation.

When a handshake request is cancelled, the kernel removes it from the handshake_net->hn_requests list. However, the request remains in the handshake_rhashtbl hash table until it is fully destroyed. If a second cancellation request arrives for the same handshake before destruction completes, the remove_pending() function returns false. The code then incorrectly proceeds through the out_true label path when HANDSHAKE_F_REQ_COMPLETED is not set in req->hr_flags, resulting in an additional reference put operation on the socket that causes the refcount underflow.

Root Cause

The vulnerability is caused by a missing atomicity check in the pending cancel path. The code fails to detect when a handshake request has already been cancelled, allowing duplicate cancellation processing that incorrectly manipulates socket reference counts. The fix implements a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) operation in the pending cancel path to atomically detect and prevent duplicate cancellation processing.

Attack Vector

A practical exploitation scenario involves timing conditions with SUNRPC TLS handshakes:

  1. The SUNRPC client sends an AUTH_TLS probe to a server but fails to follow up with the ClientHello message due to a problem with the tlshd daemon
  2. When the timeout occurs on the server side, it sends a FIN packet, triggering a cancellation request via xs_reset_transport()
  3. When the timeout is subsequently hit on the client side, another cancellation request is triggered via xs_tls_handshake_sync()
  4. These duplicate cancellations cause the refcount underflow condition

The vulnerability requires the ability to trigger network handshake timeout conditions or cause duplicate cancellation events in the handshake subsystem. This could occur naturally due to network instability or tlshd daemon issues, or potentially be triggered by an attacker with network access.

Detection Methods for CVE-2025-68775

Indicators of Compromise

  • Kernel panic or oops messages referencing net/handshake or socket refcount underflow
  • Unexpected system crashes during TLS handshake operations
  • Memory corruption signatures in kernel logs related to networking subsystem
  • SUNRPC errors indicating handshake timeout conditions

Detection Strategies

  • Monitor kernel logs for warnings related to socket reference count anomalies or handshake subsystem errors
  • Implement kernel tracing on the handshake_cancel() and related functions to detect duplicate cancellation attempts
  • Use tools like KASAN (Kernel Address Sanitizer) to detect memory corruption during development or testing
  • Review system logs for repeated AUTH_TLS probe failures or tlshd daemon issues

Monitoring Recommendations

  • Enable kernel debugging options to capture detailed information about handshake subsystem operations
  • Monitor for unusual patterns of SUNRPC TLS handshake timeouts
  • Deploy runtime integrity monitoring solutions that can detect kernel memory corruption
  • Track tlshd daemon status and operation logs for anomalies

How to Mitigate CVE-2025-68775

Immediate Actions Required

  • Update the Linux kernel to a patched version that includes the fix
  • If immediate patching is not possible, consider disabling TLS handshake functionality if not required
  • Monitor systems for signs of exploitation such as kernel panics or unexpected crashes
  • Review and stabilize tlshd daemon configuration to reduce handshake timeout conditions

Patch Information

The vulnerability has been addressed through multiple kernel commits that add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) check in the pending cancel path. This atomic operation ensures duplicate cancellations are detected and properly handled without causing refcount underflow.

Relevant patches are available:

Workarounds

  • Disable SUNRPC TLS handshake support if not operationally required
  • Ensure tlshd daemon is properly configured and monitored to minimize handshake failures
  • Implement network-level controls to reduce timeout conditions that could trigger the vulnerability
  • Consider using kernel live patching solutions if available for your distribution
bash
# Check current kernel version for vulnerability status
uname -r

# Review dmesg for handshake-related errors
dmesg | grep -i "handshake\|refcount"

# Monitor tlshd daemon status
systemctl status tlshd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.