Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990280)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType

JFS slab out-of-bounds read fixed in Linux kernel ea_get due to overflow in size clamp.

Reporter	Title	Published	Views	Family All 302
AstraLinux	Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12	16 Jun 202511:28	–	astralinux
Tenable Nessus	Azure Linux 3.0 Security Update: kernel (CVE-2025-39735)	11 Jul 202500:00	–	nessus
Tenable Nessus	Debian dla-4178 : ata-modules-5.10.0-34-armmp-di - security update	26 May 202500:00	–	nessus
Tenable Nessus	Debian dla-4193 : linux-config-6.1 - security update	29 May 202500:00	–	nessus
Tenable Nessus	Debian dsa-5907 : affs-modules-6.1.0-33-4kc-malta-di - security update	27 Apr 202500:00	–	nessus
Tenable Nessus	CBL Mariner 2.0 Security Update: kernel (CVE-2025-39735)	6 May 202500:00	–	nessus
Tenable Nessus	Oracle Linux 10 / 9 : Unbreakable Enterprise kernel (ELSA-2025-20480)	18 Jul 202500:00	–	nessus
Tenable Nessus	Oracle Linux 10 / 9 : Unbreakable Enterprise kernel (ELSA-2025-20530)	19 Aug 202500:00	–	nessus
Tenable Nessus	SUSE SLES15 Security Update : kernel (SUSE-SU-2025:01620-1)	22 May 202500:00	–	nessus
Tenable Nessus	SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2025:01964-1)	27 Jun 202500:00	–	nessus

Source	Link
nessus	www.nessus.org/u
nessus	www.nessus.org/u
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-39735
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(272649);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2025-39735");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990280)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-990280 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    jfs: fix slab-out-of-bounds read in ea_get()

    During the size_check label in ea_get(), the code checks if the extended
    attribute list (xattr) size matches ea_size. If not, it logs
    ea_get: invalid extended attribute and calls print_hex_dump().

    Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds
    INT_MAX (2,147,483,647). Then ea_size is clamped:

            int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));

    Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper
    limit is treated as an int, causing an overflow above 2^31 - 1. This leads
    size to wrap around and become negative (-184549328).

    The size is then passed to print_hex_dump() (called len in
    print_hex_dump()), it is passed as type size_t (an unsigned
    type), this is then stored inside a variable called
    int remaining, which is then assigned to int linelen which
    is then passed to hex_dump_to_buffer(). In print_hex_dump()
    the for loop, iterates through 0 to len-1, where len is
    18446744073525002176, calling hex_dump_to_buffer()
    on each iteration:

            for (i = 0; i < len; i += rowsize) {
                    linelen = min(remaining, rowsize);
                    remaining -= rowsize;

                    hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
                                       linebuf, sizeof(linebuf), ascii);

                    ...
            }

    The expected stopping condition (i < len) is effectively broken
    since len is corrupted and very large. This eventually leads to
    the ptr+i being passed to hex_dump_to_buffer() to get closer
    to the end of the actual bounds of ptr, eventually an out of
    bounds access is done in hex_dump_to_buffer() in the following
    for loop:

            for (j = 0; j < len; j++) {
                            if (linebuflen < lx + 2)
                                    goto overflow2;
                            ch = ptr[j];
                    ...
            }

    To fix this we should validate EALIST_SIZE(ea_buf->xattr)
    before it is utilised.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-990280
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4f89314a");
  # https://lore.kernel.org/linux-cve-announce/2025041820-CVE-2025-39735-41c8@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?83a84d06");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2025-39735");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-39735");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/04/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

05 Nov 2025 00:00Current

6.3Medium risk

Vulners AI Score6.3

CVSS 3.17.1

EPSS0.00215

SSVC