Lucene search
K

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2025-992188)

🗓️ 30 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Unity Linux kernel security update fixes CIFS oops during encryption (UTSA-2025-992188).

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(280404);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/30");

  script_cve_id("CVE-2022-50341");

  script_name(english:"Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2025-992188)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-992188 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    cifs: fix oops during encryption

    When running xfstests against Azure the following oops occurred on an
    arm64 system

      Unable to handle kernel write to read-only memory at virtual address
      ffff0001221cf000
      Mem abort info:
        ESR = 0x9600004f
        EC = 0x25: DABT (current EL), IL = 32 bits
        SET = 0, FnV = 0
        EA = 0, S1PTW = 0
        FSC = 0x0f: level 3 permission fault
      Data abort info:
        ISV = 0, ISS = 0x0000004f
        CM = 0, WnR = 1
      swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000
      [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,
      pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787
      Internal error: Oops: 9600004f [#1] PREEMPT SMP
      ...
      pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)
      pc : __memcpy+0x40/0x230
      lr : scatterwalk_copychunks+0xe0/0x200
      sp : ffff800014e92de0
      x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008
      x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008
      x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000
      x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014
      x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058
      x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590
      x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580
      x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005
      x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001
      x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000
      Call trace:
       __memcpy+0x40/0x230
       scatterwalk_map_and_copy+0x98/0x100
       crypto_ccm_encrypt+0x150/0x180
       crypto_aead_encrypt+0x2c/0x40
       crypt_message+0x750/0x880
       smb3_init_transform_rq+0x298/0x340
       smb_send_rqst.part.11+0xd8/0x180
       smb_send_rqst+0x3c/0x100
       compound_send_recv+0x534/0xbc0
       smb2_query_info_compound+0x32c/0x440
       smb2_set_ea+0x438/0x4c0
       cifs_xattr_set+0x5d4/0x7c0

    This is because in scatterwalk_copychunks(), we attempted to write to
    a buffer (@sign) that was allocated in the stack (vmalloc area) by
    crypt_message() and thus accessing its remaining 8 (x2) bytes ended up
    crossing a page boundary.

    To simply fix it, we could just pass @sign kmalloc'd from
    crypt_message() and then we're done.  Luckily, we don't seem to pass
    any other vmalloc'd buffers in smb_rqst::rq_iov...

    Instead, let's map the correct pages and offsets from vmalloc buffers
    as well in cifs_sg_set_buf() and then avoiding such oopses.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-992188
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?22b503ce");
  # https://lore.kernel.org/linux-cve-announce/2025091638-CVE-2022-50341-12c1@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4c9efb9e");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-50341");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-50341");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060e|20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060e / 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060e',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Dec 2025 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.15.5
EPSS0.00096
SSVC
2