Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987359)

🗓️ 07 Oct 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Unity Linux kernel update fixes Bluetooth use after free in hci_send_acl during disconnect.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(268696);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/15");

  script_cve_id("CVE-2022-49111");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987359)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-987359 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    Bluetooth: Fix use after free in hci_send_acl

    This fixes the following trace caused by receiving
    HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without
    first checking if conn->type is in fact AMP_LINK and in case it is
    do properly cleanup upper layers with hci_disconn_cfm:

     ==================================================================
        BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50
        Read of size 8 at addr ffff88800e404818 by task bluetoothd/142

        CPU: 0 PID: 142 Comm: bluetoothd Not tainted
        5.17.0-rc5-00006-gda4022eeac1a #7
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
        rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
        Call Trace:
         <TASK>
         dump_stack_lvl+0x45/0x59
         print_address_description.constprop.0+0x1f/0x150
         kasan_report.cold+0x7f/0x11b
         hci_send_acl+0xaba/0xc50
         l2cap_do_send+0x23f/0x3d0
         l2cap_chan_send+0xc06/0x2cc0
         l2cap_sock_sendmsg+0x201/0x2b0
         sock_sendmsg+0xdc/0x110
         sock_write_iter+0x20f/0x370
         do_iter_readv_writev+0x343/0x690
         do_iter_write+0x132/0x640
         vfs_writev+0x198/0x570
         do_writev+0x202/0x280
         do_syscall_64+0x38/0x90
         entry_SYSCALL_64_after_hwframe+0x44/0xae
        RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
        Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3
        0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05
        <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
        RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015
        RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77
        R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580
        RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001
        </TASK>
        R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0

        Allocated by task 45:
            kasan_save_stack+0x1e/0x40
            __kasan_kmalloc+0x81/0xa0
            hci_chan_create+0x9a/0x2f0
            l2cap_conn_add.part.0+0x1a/0xdc0
            l2cap_connect_cfm+0x236/0x1000
            le_conn_complete_evt+0x15a7/0x1db0
            hci_le_conn_complete_evt+0x226/0x2c0
            hci_le_meta_evt+0x247/0x450
            hci_event_packet+0x61b/0xe90
            hci_rx_work+0x4d5/0xc50
            process_one_work+0x8fb/0x15a0
            worker_thread+0x576/0x1240
            kthread+0x29d/0x340
            ret_from_fork+0x1f/0x30

        Freed by task 45:
            kasan_save_stack+0x1e/0x40
            kasan_set_track+0x21/0x30
            kasan_set_free_info+0x20/0x30
            __kasan_slab_free+0xfb/0x130
            kfree+0xac/0x350
            hci_conn_cleanup+0x101/0x6a0
            hci_conn_del+0x27e/0x6c0
            hci_disconn_phylink_complete_evt+0xe0/0x120
            hci_event_packet+0x812/0xe90
            hci_rx_work+0x4d5/0xc50
            process_one_work+0x8fb/0x15a0
            worker_thread+0x576/0x1240
            kthread+0x29d/0x340
            ret_from_fork+0x1f/0x30

        The buggy address belongs to the object at ffff88800c0f0500
        The buggy address is located 24 bytes inside of
        which belongs to the cache kmalloc-128 of size 128
        The buggy address belongs to the page:
        128-byte region [ffff88800c0f0500, ffff88800c0f0580)
        flags: 0x100000000000200(slab|node=0|zone=1)
        page:00000000fe45cd86 refcount:1 mapcount:0
        mapping:0000000000000000 index:0x0 pfn:0xc0f0
        raw: 0000000000000000 0000000080100010 00000001ffffffff
        0000000000000000
        raw: 0100000000000200 ffffea00003a2c80 dead000000000004
        ffff8880078418c0
        page dumped because: kasan: bad access detected
        ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
        Memory state around the buggy address:
        >ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
        ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-987359
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ee8f270f");
  # https://lore.kernel.org/linux-cve-announce/2025022602-CVE-2022-49111-8795@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ef9d23a8");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49111");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49111");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/06/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-74.16', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Oct 2025 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.17.8
EPSS0.00247
SSVC
3