CVE-2025-68775 Overview
A vulnerability has been identified in the Linux kernel's network handshake subsystem (net/handshake) that causes a socket leak and reference count underflow when duplicate handshake cancellations occur. The flaw exists in the handling of cancelled handshake requests where a request removed from the handshake_net->hn_requests list remains present in the handshake_rhashtbl until destruction.
Critical Impact
Duplicate cancellation requests can trigger reference count underflow on the socket, potentially leading to memory corruption, denial of service, or use-after-free conditions in kernel networking code.
Affected Products
- Linux Kernel (net/handshake subsystem)
- Systems using SUNRPC with TLS handshake support
- Systems utilizing AUTH_TLS probe mechanisms
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68775 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68775
Vulnerability Analysis
This vulnerability represents a reference count (refcount) underflow condition in the Linux kernel's handshake cancellation logic. The root issue stems from improper state management when processing duplicate cancellation requests for the same handshake operation.
When a handshake request is cancelled, the kernel removes it from the handshake_net->hn_requests list. However, the request remains in the handshake_rhashtbl hash table until it is fully destroyed. If a second cancellation request arrives for the same handshake before destruction completes, the remove_pending() function returns false. The code then incorrectly proceeds through the out_true label path when HANDSHAKE_F_REQ_COMPLETED is not set in req->hr_flags, resulting in an additional reference put operation on the socket that causes the refcount underflow.
Root Cause
The vulnerability is caused by a missing atomicity check in the pending cancel path. The code fails to detect when a handshake request has already been cancelled, allowing duplicate cancellation processing that incorrectly manipulates socket reference counts. The fix implements a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) operation in the pending cancel path to atomically detect and prevent duplicate cancellation processing.
Attack Vector
A practical exploitation scenario involves timing conditions with SUNRPC TLS handshakes:
- The SUNRPC client sends an AUTH_TLS probe to a server but fails to follow up with the ClientHello message due to a problem with the tlshd daemon
- When the timeout occurs on the server side, it sends a FIN packet, triggering a cancellation request via xs_reset_transport()
- When the timeout is subsequently hit on the client side, another cancellation request is triggered via xs_tls_handshake_sync()
- These duplicate cancellations cause the refcount underflow condition
The vulnerability requires the ability to trigger network handshake timeout conditions or cause duplicate cancellation events in the handshake subsystem. This could occur naturally due to network instability or tlshd daemon issues, or potentially be triggered by an attacker with network access.
Detection Methods for CVE-2025-68775
Indicators of Compromise
- Kernel panic or oops messages referencing net/handshake or socket refcount underflow
- Unexpected system crashes during TLS handshake operations
- Memory corruption signatures in kernel logs related to networking subsystem
- SUNRPC errors indicating handshake timeout conditions
Detection Strategies
- Monitor kernel logs for warnings related to socket reference count anomalies or handshake subsystem errors
- Implement kernel tracing on the handshake_cancel() and related functions to detect duplicate cancellation attempts
- Use tools like KASAN (Kernel Address Sanitizer) to detect memory corruption during development or testing
- Review system logs for repeated AUTH_TLS probe failures or tlshd daemon issues
Monitoring Recommendations
- Enable kernel debugging options to capture detailed information about handshake subsystem operations
- Monitor for unusual patterns of SUNRPC TLS handshake timeouts
- Deploy runtime integrity monitoring solutions that can detect kernel memory corruption
- Track tlshd daemon status and operation logs for anomalies
How to Mitigate CVE-2025-68775
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix
- If immediate patching is not possible, consider disabling TLS handshake functionality if not required
- Monitor systems for signs of exploitation such as kernel panics or unexpected crashes
- Review and stabilize tlshd daemon configuration to reduce handshake timeout conditions
Patch Information
The vulnerability has been addressed through multiple kernel commits that add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) check in the pending cancel path. This atomic operation ensures duplicate cancellations are detected and properly handled without causing refcount underflow.
Relevant patches are available:
- Kernel Git Commit 011ae80
- Kernel Git Commit 15564bd
- Kernel Git Commit 3c330f1
- Kernel Git Commit e164117
Workarounds
- Disable SUNRPC TLS handshake support if not operationally required
- Ensure tlshd daemon is properly configured and monitored to minimize handshake failures
- Implement network-level controls to reduce timeout conditions that could trigger the vulnerability
- Consider using kernel live patching solutions if available for your distribution
# Check current kernel version for vulnerability status
uname -r
# Review dmesg for handshake-related errors
dmesg | grep -i "handshake\|refcount"
# Monitor tlshd daemon status
systemctl status tlshd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
