Lucene search
K

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-992734)

🗓️ 31 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Unity Linux kernel update fixes MTE false alarm in krealloc causing KASAN slab bounds.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(281129);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/31");

  script_cve_id("CVE-2024-53097");

  script_name(english:"Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-992734)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-992734 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    mm: krealloc: Fix MTE false alarm in __do_krealloc

    This patch addresses an issue introduced by commit 1a83a716ec233 (mm:
    krealloc: consider spare memory for __GFP_ZERO) which causes MTE
    (Memory Tagging Extension) to falsely report a slab-out-of-bounds error.

    The problem occurs when zeroing out spare memory in __do_krealloc. The
    original code only considered software-based KASAN and did not account
    for MTE. It does not reset the KASAN tag before calling memset, leading
    to a mismatch between the pointer tag and the memory tag, resulting
    in a false positive.

    Example of the error:
    ==================================================================
    swapper/0: BUG: KASAN: slab-out-of-bounds in __memset+0x84/0x188
    swapper/0: Write at addr f4ffff8005f0fdf0 by task swapper/0/1
    swapper/0: Pointer tag: [f4], memory tag: [fe]
    swapper/0:
    swapper/0: CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.
    swapper/0: Hardware name: MT6991(ENG) (DT)
    swapper/0: Call trace:
    swapper/0:  dump_backtrace+0xfc/0x17c
    swapper/0:  show_stack+0x18/0x28
    swapper/0:  dump_stack_lvl+0x40/0xa0
    swapper/0:  print_report+0x1b8/0x71c
    swapper/0:  kasan_report+0xec/0x14c
    swapper/0:  __do_kernel_fault+0x60/0x29c
    swapper/0:  do_bad_area+0x30/0xdc
    swapper/0:  do_tag_check_fault+0x20/0x34
    swapper/0:  do_mem_abort+0x58/0x104
    swapper/0:  el1_abort+0x3c/0x5c
    swapper/0:  el1h_64_sync_handler+0x80/0xcc
    swapper/0:  el1h_64_sync+0x68/0x6c
    swapper/0:  __memset+0x84/0x188
    swapper/0:  btf_populate_kfunc_set+0x280/0x3d8
    swapper/0:  __register_btf_kfunc_id_set+0x43c/0x468
    swapper/0:  register_btf_kfunc_id_set+0x48/0x60
    swapper/0:  register_nf_nat_bpf+0x1c/0x40
    swapper/0:  nf_nat_init+0xc0/0x128
    swapper/0:  do_one_initcall+0x184/0x464
    swapper/0:  do_initcall_level+0xdc/0x1b0
    swapper/0:  do_initcalls+0x70/0xc0
    swapper/0:  do_basic_setup+0x1c/0x28
    swapper/0:  kernel_init_freeable+0x144/0x1b8
    swapper/0:  kernel_init+0x20/0x1a8
    swapper/0:  ret_from_fork+0x10/0x20
    ==================================================================

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-992734
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?178b0206");
  # https://lore.kernel.org/linux-cve-announce/2024112505-CVE-2024-53097-cd93@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b5b4d656");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-53097");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-53097");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/11/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/31");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060a|20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060a / 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060a',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Dec 2025 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.15.5
EPSS0.00227
SSVC
4