Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990199)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Unity Linux 20 updates the kernel to fix a possible deadlock in multipath TCP subflow diagnostic.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(272462);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2024-26781");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990199)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-990199 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    mptcp: fix possible deadlock in subflow diag

    Syzbot and Eric reported a lockdep splat in the subflow diag:

       WARNING: possible circular locking dependency detected
       6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted

       syz-executor.2/24141 is trying to acquire lock:
       ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:
       tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
       ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:
       tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137

       but task is already holding lock:
       ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock
       include/linux/spinlock.h:351 [inline]
       ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at:
       inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038

       which lock already depends on the new lock.

       the existing dependency chain (in reverse order) is:

       -> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:
       lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
       __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
       _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
       spin_lock include/linux/spinlock.h:351 [inline]
       __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743
       inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261
       __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217
       inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239
       rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316
       rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577
       ops_init+0x352/0x610 net/core/net_namespace.c:136
       __register_pernet_operations net/core/net_namespace.c:1214 [inline]
       register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283
       register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370
       rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735
       do_one_initcall+0x238/0x830 init/main.c:1236
       do_initcall_level+0x157/0x210 init/main.c:1298
       do_initcalls+0x3f/0x80 init/main.c:1314
       kernel_init_freeable+0x42f/0x5d0 init/main.c:1551
       kernel_init+0x1d/0x2a0 init/main.c:1441
       ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242

       -> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869
       __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
       lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
       lock_sock_fast include/net/sock.h:1723 [inline]
       subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28
       tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]
       tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137
       inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345
       inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061
       __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263
       inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371
       netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264
       __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370
       netlink_dump_start include/linux/netlink.h:338 [inline]
       inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405
       sock_diag_rcv_msg+0xe7/0x410
       netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
       sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280
       netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
       netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
       netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x221/0x270 net/socket.c:745
       ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
       ___sys_sendmsg net/socket.c:2638 [inline]
       __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
       do_syscall_64+0xf9/0x240
       entry_SYSCALL_64_after_hwframe+0x6f/0x77

    As noted by Eric we can break the lock dependency chain avoid
    dumping
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-990199
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b5a8d761");
  # https://lore.kernel.org/linux-cve-announce/2024040458-CVE-2024-26781-0389@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2ce650a3");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-26781");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-26781");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Nov 2025 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.15.5
EPSS0.00173
SSVC
2