Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-992184)

🗓️ 30 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

The Linux kernel fix addresses a wifi rtl8812ae global out-of-bounds in the txpower limit.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(280447);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/30");

  script_cve_id("CVE-2022-50279");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-992184)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-992184 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()

    There is a global-out-of-bounds reported by KASAN:

      BUG: KASAN: global-out-of-bounds in
      _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]
      Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411

      CPU: 6 PID: 411 Comm: NetworkManager Tainted: G      D
      6.1.0-rc8+ #144 e15588508517267d37
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
      Call Trace:
       <TASK>
       ...
       kasan_report+0xbb/0x1c0
       _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae]
       rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae]
       rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae]
       ...
       </TASK>

    The root cause of the problem is that the comparison order of
    prate_section in _rtl8812ae_phy_set_txpower_limit() is wrong. The
    _rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two
    strings from tail to head, which causes the problem. In the
    _rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet
    this requirement by carefully designing the comparison order.
    For example, pregulation and pbandwidth are compared in order of
    length from small to large, first is 3 and last is 4. However, the
    comparison order of prate_section dose not obey such order requirement,
    therefore when prate_section is HT, when comparing from tail to head,
    it will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As
    mentioned above, the _rtl8812ae_eq_n_byte() has the same function as
    strcmp(), so just strcmp() is enough.

    Fix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely.
    Although it can be fixed by adjusting the comparison order of
    prate_section, this may cause the value of rate_section to not be
    from 0 to 5. In addition, commit 21e4b0726dc6 not only moved driver
    from staging to regular tree, but also added setting txpower limit
    function during the driver config phase, so the problem was introduced
    by this commit.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-992184
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?211125a4");
  # https://lore.kernel.org/linux-cve-announce/2025091506-CVE-2022-50279-412b@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2e0ea37f");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-50279");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-50279");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-4.19.90-2409.6.0.0297.103.005', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2409.6.0.0297.103.005', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2409.6.0.0297.103.005', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Dec 2025 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 3.17.1
EPSS0.00149
4