Lucene search
K

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-992984)

🗓️ 31 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Kernel use-after-free fix in nci timer and workqueue to prevent UAF when detaching an NCI device.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(281429);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/31");

  script_cve_id("CVE-2022-49059");

  script_name(english:"Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-992984)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-992984 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    nfc: nci: add flush_workqueue to prevent uaf

    Our detector found a concurrent use-after-free bug when detaching an
    NCI device. The main reason for this bug is the unexpected scheduling
    between the used delayed mechanism (timer and workqueue).

    The race can be demonstrated below:

    Thread-1                           Thread-2
                                     | nci_dev_up()
                                     |   nci_open_device()
                                     |     __nci_request(nci_reset_req)
                                     |       nci_send_cmd
                                     |         queue_work(cmd_work)
    nci_unregister_device()          |
      nci_close_device()             | ...
        del_timer_sync(cmd_timer)[1] |
    ...                              | Worker
    nci_free_device()                | nci_cmd_work()
      kfree(ndev)[3]                 |   mod_timer(cmd_timer)[2]

    In short, the cleanup routine thought that the cmd_timer has already
    been detached by [1] but the mod_timer can re-attach the timer [2], even
    it is already released [3], resulting in UAF.

    This UAF is easy to trigger, crash trace by POC is like below

    [   66.703713] ==================================================================
    [   66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490
    [   66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33
    [   66.703974]
    [   66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5
    [   66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work
    [   66.703974] Call Trace:
    [   66.703974]  <TASK>
    [   66.703974]  dump_stack_lvl+0x57/0x7d
    [   66.703974]  print_report.cold+0x5e/0x5db
    [   66.703974]  ? enqueue_timer+0x448/0x490
    [   66.703974]  kasan_report+0xbe/0x1c0
    [   66.703974]  ? enqueue_timer+0x448/0x490
    [   66.703974]  enqueue_timer+0x448/0x490
    [   66.703974]  __mod_timer+0x5e6/0xb80
    [   66.703974]  ? mark_held_locks+0x9e/0xe0
    [   66.703974]  ? try_to_del_timer_sync+0xf0/0xf0
    [   66.703974]  ? lockdep_hardirqs_on_prepare+0x17b/0x410
    [   66.703974]  ? queue_work_on+0x61/0x80
    [   66.703974]  ? lockdep_hardirqs_on+0xbf/0x130
    [   66.703974]  process_one_work+0x8bb/0x1510
    [   66.703974]  ? lockdep_hardirqs_on_prepare+0x410/0x410
    [   66.703974]  ? pwq_dec_nr_in_flight+0x230/0x230
    [   66.703974]  ? rwlock_bug.part.0+0x90/0x90
    [   66.703974]  ? _raw_spin_lock_irq+0x41/0x50
    [   66.703974]  worker_thread+0x575/0x1190
    [   66.703974]  ? process_one_work+0x1510/0x1510
    [   66.703974]  kthread+0x2a0/0x340
    [   66.703974]  ? kthread_complete_and_exit+0x20/0x20
    [   66.703974]  ret_from_fork+0x22/0x30
    [   66.703974]  </TASK>
    [   66.703974]
    [   66.703974] Allocated by task 267:
    [   66.703974]  kasan_save_stack+0x1e/0x40
    [   66.703974]  __kasan_kmalloc+0x81/0xa0
    [   66.703974]  nci_allocate_device+0xd3/0x390
    [   66.703974]  nfcmrvl_nci_register_dev+0x183/0x2c0
    [   66.703974]  nfcmrvl_nci_uart_open+0xf2/0x1dd
    [   66.703974]  nci_uart_tty_ioctl+0x2c3/0x4a0
    [   66.703974]  tty_ioctl+0x764/0x1310
    [   66.703974]  __x64_sys_ioctl+0x122/0x190
    [   66.703974]  do_syscall_64+0x3b/0x90
    [   66.703974]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    [   66.703974]
    [   66.703974] Freed by task 406:
    [   66.703974]  kasan_save_stack+0x1e/0x40
    [   66.703974]  kasan_set_track+0x21/0x30
    [   66.703974]  kasan_set_free_info+0x20/0x30
    [   66.703974]  __kasan_slab_free+0x108/0x170
    [   66.703974]  kfree+0xb0/0x330
    [   66.703974]  nfcmrvl_nci_unregister_dev+0x90/0xd0
    [   66.703974]  nci_uart_tty_close+0xdf/0x180
    [   66.703974]  tty_ldisc_kill+0x73/0x110
    [   66.703974]  tty_ldisc_hangup+0x281/0x5b0
    [   66.703974]  __tty_hangup.part.0+0x431/0x890
    [   66.703974]  tty_release+0x3a8/0xc80
    [   66.703974]  __fput+0x1f0/0x8c0
    [   66.703974]  task_work_run+0xc9/0x170
    [   66.703974]  exit_to_user_mode_prepare+0x194/0x1a0
    [   66.703974]  syscall_exit_to_user_mode+0x19/0x50
    [   66.703974]  do_syscall_64+0x48/0x90
    [   66.703974]  entry_SYSCALL_64_after_hwframe+0x44/0x
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-992984
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?63d097b4");
  # https://lore.kernel.org/linux-cve-announce/2025022653-CVE-2022-49059-4608@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6048551a");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49059");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49059");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/31");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060a|20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060a / 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060a',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Dec 2025 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.17.8
EPSS0.00285
SSVC
2