AZL-74456

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-74456.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-74456

Upstream

CVE-2025-68775

Published

2026-01-13T16:15:57Z

Modified

2026-04-01T05:22:43.311184Z

Summary

CVE-2025-68775 affecting package kernel for versions less than 6.6.121.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

net/handshake: duplicate handshake cancellations leak socket

When a handshake request is cancelled it is removed from the handshakenet->hnrequests list, but it is still present in the handshake_rhashtbl until it is destroyed.

If a second cancellation request arrives for the same handshake request, then removepending() will return false... and assuming HANDSHAKEFREQCOMPLETED isn't set in req->hrflags, we'll continue processing through the outtrue label, where we put another reference on the sock and a refcount underflow occurs.

This can happen for example if a handshake times out - particularly if the SUNRPC client sends the AUTHTLS probe to the server but doesn't follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xsresettransport(). When the timeout is hit on the client, another cancellation request happens via xstlshandshakesync().

Add a testandsetbit(HANDSHAKEFREQCOMPLETED) in the pending cancel path so duplicate cancels can be detected.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-68775

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.121.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-74456.json"