MiracleLinux 3 : kernel-2.6.18-128.14.AXS3 (AXSA:2010-141:01)

🗓️ 14 Jan 2026 00:00:00Reported by TenableType
MiracleLinux 3 kernel 2.6.18-128.14.AXS3 fixes multiple CVEs under AXSA:2010-141:01.
Reporter	Title	Published	Views	Family All 663
0day.today	Linux Kernel 3.3.x <= 3.3.4 Buffer overflow in HFS plus filesystem	16 May 201200:00	–	zdt
Tenable Nessus	CentOS 4 : kernel (CESA-2009:1522)	27 Oct 200900:00	–	nessus
Tenable Nessus	CentOS 4 : kernel (CESA-2009:1541)	29 Jun 201300:00	–	nessus
Tenable Nessus	CentOS 5 : kernel (CESA-2009:1548)	29 Jun 201300:00	–	nessus
Tenable Nessus	CentOS 3 : kernel (CESA-2009:1550)	29 Jun 201300:00	–	nessus
Tenable Nessus	CentOS 5 : kernel (CESA-2009:1670)	6 Jan 201000:00	–	nessus
Tenable Nessus	CentOS 4 : kernel (CESA-2009:1671)	21 Dec 200900:00	–	nessus
Tenable Nessus	CentOS 5 : kernel (CESA-2010:0019)	10 Jan 201000:00	–	nessus
Tenable Nessus	CentOS 4 : kernel (CESA-2010:0020)	15 Jan 201000:00	–	nessus
Tenable Nessus	CentOS 5 : kernel (CESA-2010:0046)	21 Jan 201000:00	–	nessus
Source	Link
tsn	www.tsn.miraclelinux.com/en/node/1295
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2010-141:01.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(284091);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/12");

  script_cve_id(
    "CVE-2007-4567",
    "CVE-2009-2910",
    "CVE-2009-3080",
    "CVE-2009-3556",
    "CVE-2009-3612",
    "CVE-2009-3620",
    "CVE-2009-3621",
    "CVE-2009-3726",
    "CVE-2009-3889",
    "CVE-2009-3939",
    "CVE-2009-4020",
    "CVE-2009-4021",
    "CVE-2009-4138",
    "CVE-2009-4141",
    "CVE-2009-4536",
    "CVE-2009-4537",
    "CVE-2009-4538"
  );
  script_xref(name:"IAVA", value:"2010-A-0015-S");
  script_xref(name:"IAVA", value:"2010-A-0001-S");

  script_name(english:"MiracleLinux 3 : kernel-2.6.18-128.14.AXS3 (AXSA:2010-141:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2010-141:01 advisory.

    The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system.  The
    kernel handles the basic functions of the operating system:  memory allocation, process allocation, device
    input and output, etc.
    Security bugs fixed with this release:
    CVE-2009-3612
    The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x
    before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member,
    which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.
    NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.
    CVE-2009-3620
    The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify
    Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of
    service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl
    calls.
    CVE-2009-3621
    net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of
    service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown
    operation on this socket, and then performing a series of connect operations to this socket.
    CVE-2009-3726
    The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4
    allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a
    certain response containing incorrect file attributes, which trigger attempted use of an open file that
    lacks NFSv4 state.
    CVE-2007-4567
    Linux kernel 2.6.22 and earlier, and possibly other versions, does not properly validate the hop-by-hop
    IPv6 extended header, which allows remote attackers to cause a denial of service (kernel panic) via a
    crafted IPv6 packet.
    CVE-2009-4536
    drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles
    Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete
    frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload.
    NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.
    CVE-2009-4537
    drivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 and earlier does not properly check
    the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to (1) cause a denial of
    service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets
    containing A characters and certain packets containing E characters; or (2) cause a denial of service
    (system crash) via a packet with a crafted size, in conjunction with certain packets containing '0'
    characters, related to the value of the status register and erroneous behavior associated with the
    RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389.
    CVE-2009-4538
    drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2.6.32.3 and earlier does not
    properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to have
    an unspecified impact via crafted packets, a related issue to CVE-2009-4537.
    CVE-2009-4036
    No description available at the time of writing.
    CVE-2009-2910
    arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear
    certain kernel registers before a return to user mode, which allows local users to read register values
    from an earlier process by switching an ia32 process to 64-bit mode.
    CVE-2009-3080
    Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before
    2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative
    event index in an IOCTL request.
    CVE-2009-3556
    A certain Red Hat configuration step for the qla2xxx driver in the Linux kernel 2.6.18 on Red Hat
    Enterprise Linux (RHEL) 5, when N_Port ID Virtualization (NPIV) hardware is used, sets world-writable
    permissions for the (1) vport_create and (2) vport_delete files under /sys/class/scsi_host/, which allows
    local users to make arbitrary changes to SCSI host attributes by modifying these files.
    CVE-2009-3889
    The dbg_lvl file for the megaraid_sas driver in the Linux kernel before 2.6.27 has world-writable
    permissions, which allows local users to change the (1) behavior and (2) logging level of the driver by
    modifying this file.
    CVE-2009-3939
    The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-
    writable permissions, which allows local users to change the I/O mode of the driver by modifying this
    file.
    CVE-2009-4020
    Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2.6.32 allows remote attackers to
    have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the
    hfs_readdir function in fs/hfs/dir.c.
    CVE-2009-4021
    The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel before 2.6.32-rc7
    might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors
    possibly related to a memory-consumption attack.
    CVE-2009-4138
    drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used,
    allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly
    have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains
    zero in the payload-length field.
    CVE-2009-4141
    Use-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before
    2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka
    FASYNC or FIOASYNC) on a locked file, and then closing this file.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/1295");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-4538");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2009-3620");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/12/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/03/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-PAE");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-PAE-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-xen-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:3");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 3.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'kernel-2.6.18-128.14.AXS3', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-2.6.18-128.14.AXS3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-devel-2.6.18-128.14.AXS3', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-devel-2.6.18-128.14.AXS3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-headers-2.6.18-128.14.AXS3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-PAE-2.6.18-128.14.AXS3', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-PAE-devel-2.6.18-128.14.AXS3', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-xen-2.6.18-128.14.AXS3', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-xen-2.6.18-128.14.AXS3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-xen-devel-2.6.18-128.14.AXS3', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-xen-devel-2.6.18-128.14.AXS3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-PAE / kernel-PAE-devel / kernel-devel / etc');
}
12 Feb 2026 00:00Current
7High risk
Vulners AI Score7
CVSS 210
CVSS 3.17.8
EPSS0.05792