Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-381120)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Linux kernel fix for wifi wilc1000 use-after-free during interface cleanup; KASAN warning resolved.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(266813);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2024-26895");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-381120)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-381120 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces

    wilc_netdev_cleanup currently triggers a KASAN warning, which can be
    observed on interface registration error path, or simply by
    removing the module/unbinding device from driver:

    echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind

    ==================================================================
    BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc
    Read of size 4 at addr c54d1ce8 by task sh/86

    CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117
    Hardware name: Atmel SAMA5
     unwind_backtrace from show_stack+0x18/0x1c
     show_stack from dump_stack_lvl+0x34/0x58
     dump_stack_lvl from print_report+0x154/0x500
     print_report from kasan_report+0xac/0xd8
     kasan_report from wilc_netdev_cleanup+0x508/0x5cc
     wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec
     wilc_bus_remove from spi_remove+0x8c/0xac
     spi_remove from device_release_driver_internal+0x434/0x5f8
     device_release_driver_internal from unbind_store+0xbc/0x108
     unbind_store from kernfs_fop_write_iter+0x398/0x584
     kernfs_fop_write_iter from vfs_write+0x728/0xf88
     vfs_write from ksys_write+0x110/0x1e4
     ksys_write from ret_fast_syscall+0x0/0x1c

    [...]

    Allocated by task 1:
     kasan_save_track+0x30/0x5c
     __kasan_kmalloc+0x8c/0x94
     __kmalloc_node+0x1cc/0x3e4
     kvmalloc_node+0x48/0x180
     alloc_netdev_mqs+0x68/0x11dc
     alloc_etherdev_mqs+0x28/0x34
     wilc_netdev_ifc_init+0x34/0x8ec
     wilc_cfg80211_init+0x690/0x910
     wilc_bus_probe+0xe0/0x4a0
     spi_probe+0x158/0x1b0
     really_probe+0x270/0xdf4
     __driver_probe_device+0x1dc/0x580
     driver_probe_device+0x60/0x140
     __driver_attach+0x228/0x5d4
     bus_for_each_dev+0x13c/0x1a8
     bus_add_driver+0x2a0/0x608
     driver_register+0x24c/0x578
     do_one_initcall+0x180/0x310
     kernel_init_freeable+0x424/0x484
     kernel_init+0x20/0x148
     ret_from_fork+0x14/0x28

    Freed by task 86:
     kasan_save_track+0x30/0x5c
     kasan_save_free_info+0x38/0x58
     __kasan_slab_free+0xe4/0x140
     kfree+0xb0/0x238
     device_release+0xc0/0x2a8
     kobject_put+0x1d4/0x46c
     netdev_run_todo+0x8fc/0x11d0
     wilc_netdev_cleanup+0x1e4/0x5cc
     wilc_bus_remove+0xc8/0xec
     spi_remove+0x8c/0xac
     device_release_driver_internal+0x434/0x5f8
     unbind_store+0xbc/0x108
     kernfs_fop_write_iter+0x398/0x584
     vfs_write+0x728/0xf88
     ksys_write+0x110/0x1e4
     ret_fast_syscall+0x0/0x1c
     [...]

    David Mosberger-Tan initial investigation [1] showed that this
    use-after-free is due to netdevice unregistration during vif list
    traversal. When unregistering a net device, since the needs_free_netdev has
    been set to true during registration, the netdevice object is also freed,
    and as a consequence, the corresponding vif object too, since it is
    attached to it as private netdevice data. The next occurrence of the loop
    then tries to access freed vif pointer to the list to move forward in the
    list.

    Fix this use-after-free thanks to two mechanisms:
    - navigate in the list with list_for_each_entry_safe, which allows to
      safely modify the list as we go through each element. For each element,
      remove it from the list with list_del_rcu
    - make sure to wait for RCU grace period end after each vif removal to make
      sure it is safe to free the corresponding vif too (through
      unregister_netdev)

    Since we are in a RCU modifier path (not a reader path), and because
    such path is expected not to be concurrent to any other modifier (we are
    using the vif_mutex lock), we do not need to use RCU list API, that's why
    we can benefit from list_for_each_entry_safe.

    [1] https://lore.kernel.org/linux-wireless/[email protected]/

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-381120
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e9ec84b3");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-26895");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-26895");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.12', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.17.8
EPSS0.00235
SSVC
2