Unity Linux 20.1070a Security Update: kernel (UTSA-2025-988694)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType

Kernel update fixes powerpc emergency stack path in __GEN_COMMON_BODY and avoids numeric label jumps.

Reporter	Title	Published	Views	Family All 97
AstraLinux	Astra Linux - уязвимость в linux-5.10	20 May 202605:53	–	astralinux
Circl	CVE-2021-47428	3 Dec 202514:14	–	circl
CNNVD	Linux kernel 安全漏洞	21 May 202400:00	–	cnnvd
CVE	CVE-2021-47428	21 May 202415:04	–	cve
Cvelist	CVE-2021-47428 powerpc/64s: fix program check interrupt emergency stack path	21 May 202415:04	–	cvelist
Debian CVE	CVE-2021-47428	21 May 202415:04	–	debiancve
Oracle linux	kernel security update	14 Nov 202400:00	–	oraclelinux
Tenable Nessus	MiracleLinux 9 : kernel-5.14.0-503.11.1.el9_5 (AXSA:2025-9528:03)	20 Jan 202600:00	–	nessus
Tenable Nessus	Oracle Linux 9 : kernel (ELSA-2024-9315)	19 Nov 202400:00	–	nessus
Tenable Nessus	RHEL 9 : kernel (RHSA-2024:9315)	12 Nov 202400:00	–	nessus

Source	Link
nessus	www.nessus.org/u
nessus	www.nessus.org/u
nvd	www.nvd.nist.gov/vuln/detail/CVE-2021-47428
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(273272);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2021-47428");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-988694)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-988694 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    powerpc/64s: fix program check interrupt emergency stack path

    Emergency stack path was jumping into a 3: label inside the
    __GEN_COMMON_BODY macro for the normal path after it had finished,
    rather than jumping over it. By a small miracle this is the correct
    place to build up a new interrupt frame with the existing stack
    pointer, so things basically worked okay with an added weird looking
    700 trap frame on top (which had the wrong ->nip so it didn't decode
    bug messages either).

    Fix this by avoiding using numeric labels when jumping over non-trivial
    macros.

    Before:

     LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
     Modules linked in:
     CPU: 0 PID: 88 Comm: sh Not tainted 5.15.0-rc2-00034-ge057cdade6e5 #2637
     NIP:  7265677368657265 LR: c00000000006c0c8 CTR: c0000000000097f0
     REGS: c0000000fffb3a50 TRAP: 0700   Not tainted
     MSR:  9000000000021031 <SF,HV,ME,IR,DR,LE>  CR: 00000700  XER: 20040000
     CFAR: c0000000000098b0 IRQMASK: 0
     GPR00: c00000000006c964 c0000000fffb3cf0 c000000001513800 0000000000000000
     GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299
     GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8
     GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001
     GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8
     GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158
     GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300
     GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80
     NIP [7265677368657265] 0x7265677368657265
     LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10
     Call Trace:
     [c0000000fffb3cf0] [c00000000000bdac] soft_nmi_common+0x13c/0x1d0 (unreliable)
     --- interrupt: 700 at decrementer_common_virt+0xb8/0x230
     NIP:  c0000000000098b8 LR: c00000000006c0c8 CTR: c0000000000097f0
     REGS: c0000000fffb3d60 TRAP: 0700   Not tainted
     MSR:  9000000000021031 <SF,HV,ME,IR,DR,LE>  CR: 22424282  XER: 20040000
     CFAR: c0000000000098b0 IRQMASK: 0
     GPR00: c00000000006c964 0000000000002400 c000000001513800 0000000000000000
     GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299
     GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8
     GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001
     GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8
     GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158
     GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300
     GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80
     NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230
     LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10
     --- interrupt: 700
     Instruction dump:
     XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
     XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
     ---[ end trace 6d28218e0cc3c949 ]---

    After:

     ------------[ cut here ]------------
     kernel BUG at arch/powerpc/kernel/exceptions-64s.S:491!
     Oops: Exception in kernel mode, sig: 5 [#1]
     LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
     Modules linked in:
     CPU: 0 PID: 88 Comm: login Not tainted 5.15.0-rc2-00034-ge057cdade6e5-dirty #2638
     NIP:  c0000000000098b8 LR: c00000000006bf04 CTR: c0000000000097f0
     REGS: c0000000fffb3d60 TRAP: 0700   Not tainted
     MSR:  9000000000021031 <SF,HV,ME,IR,DR,LE>  CR: 24482227  XER: 00040000
     CFAR: c0000000000098b0 IRQMASK: 0
     GPR00: c00000000006bf04 0000000000002400 c000000001513800 c000000001271868
     GPR04: 00000000100f0d29 0000000042000000 0000000000000007 0000000000000009
     GPR08: 00000000100f0d29 0000000024482227 0000000000002710 c000000000181b3c
     GPR12: 9000000000009033 c0000000016b0000 00000000100f0d29 c000000005b22f00
     GPR16: 00000000ffff0000 0000000000000001 0000000000000009 00000000100eed90
     GPR20: 00000000100eed90 00000
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-988694
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9243deca");
  # https://lore.kernel.org/linux-cve-announce/2024052157-CVE-2021-47428-f3c0@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1d3376f9");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2021-47428");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-47428");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/05/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

05 Nov 2025 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.15.5

EPSS0.00028

SSVC