Lucene search
K

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-993024)

🗓️ 31 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Unity Linux 20.1060a/20.1070a security update fixes iwlwifi double free on TX path and KASAN issues.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(280907);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/31");

  script_cve_id("CVE-2022-50248");

  script_name(english:"Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-993024)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-993024 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    wifi: iwlwifi: mvm: fix double free on tx path.

    We see kernel crashes and lockups and KASAN errors related to ax210
    firmware crashes.  One of the KASAN dumps pointed at the tx path,
    and it appears there is indeed a way to double-free an skb.

    If iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the
    method will be freed.  But, in case where we build TSO skb buffer,
    the skb may also be freed in error case.  So, return 0 in that particular
    error case and do cleanup manually.

    BUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90
    iwlwifi 0000:06:00.0: 0x00000000 | tsf hi
    Read of size 8 at addr ffff88813cfa4ba0 by task btserver/9650

    CPU: 4 PID: 9650 Comm: btserver Tainted: G        W         5.19.8+ #5
    iwlwifi 0000:06:00.0: 0x00000000 | time gp1
    Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019
    Call Trace:
     <TASK>
     dump_stack_lvl+0x55/0x6d
     print_report.cold.12+0xf2/0x684
    iwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2
     ? __list_del_entry_valid+0x12/0x90
     kasan_report+0x8b/0x180
    iwlwifi 0000:06:00.0: 0x00000001 | uCode revision type
     ? __list_del_entry_valid+0x12/0x90
     __list_del_entry_valid+0x12/0x90
    iwlwifi 0000:06:00.0: 0x00000048 | uCode version major
     tcp_update_skb_after_send+0x5d/0x170
     __tcp_transmit_skb+0xb61/0x15c0
    iwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor
     ? __tcp_select_window+0x490/0x490
    iwlwifi 0000:06:00.0: 0x00000420 | hw version
     ? trace_kmalloc_node+0x29/0xd0
     ? __kmalloc_node_track_caller+0x12a/0x260
     ? memset+0x1f/0x40
     ? __build_skb_around+0x125/0x150
     ? __alloc_skb+0x1d4/0x220
     ? skb_zerocopy_clone+0x55/0x230
    iwlwifi 0000:06:00.0: 0x00489002 | board version
     ? kmalloc_reserve+0x80/0x80
     ? rcu_read_lock_bh_held+0x60/0xb0
     tcp_write_xmit+0x3f1/0x24d0
    iwlwifi 0000:06:00.0: 0x034E001C | hcmd
     ? __check_object_size+0x180/0x350
    iwlwifi 0000:06:00.0: 0x24020000 | isr0
     tcp_sendmsg_locked+0x8a9/0x1520
    iwlwifi 0000:06:00.0: 0x01400000 | isr1
     ? tcp_sendpage+0x50/0x50
    iwlwifi 0000:06:00.0: 0x48F0000A | isr2
     ? lock_release+0xb9/0x400
     ? tcp_sendmsg+0x14/0x40
    iwlwifi 0000:06:00.0: 0x00C3080C | isr3
     ? lock_downgrade+0x390/0x390
     ? do_raw_spin_lock+0x114/0x1d0
    iwlwifi 0000:06:00.0: 0x00200000 | isr4
     ? rwlock_bug.part.2+0x50/0x50
    iwlwifi 0000:06:00.0: 0x034A001C | last cmd Id
     ? rwlock_bug.part.2+0x50/0x50
     ? lockdep_hardirqs_on_prepare+0xe/0x200
    iwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event
     ? __local_bh_enable_ip+0x87/0xe0
     ? inet_send_prepare+0x220/0x220
    iwlwifi 0000:06:00.0: 0x000000C4 | l2p_control
     tcp_sendmsg+0x22/0x40
     sock_sendmsg+0x5f/0x70
    iwlwifi 0000:06:00.0: 0x00010034 | l2p_duration
     __sys_sendto+0x19d/0x250
    iwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid
     ? __ia32_sys_getpeername+0x40/0x40
    iwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match
     ? rcu_read_lock_held_common+0x12/0x50
     ? rcu_read_lock_sched_held+0x5a/0xd0
     ? rcu_read_lock_bh_held+0xb0/0xb0
     ? rcu_read_lock_sched_held+0x5a/0xd0
     ? rcu_read_lock_sched_held+0x5a/0xd0
     ? lock_release+0xb9/0x400
     ? lock_downgrade+0x390/0x390
     ? ktime_get+0x64/0x130
     ? ktime_get+0x8d/0x130
     ? rcu_read_lock_held_common+0x12/0x50
     ? rcu_read_lock_sched_held+0x5a/0xd0
     ? rcu_read_lock_held_common+0x12/0x50
     ? rcu_read_lock_sched_held+0x5a/0xd0
     ? rcu_read_lock_bh_held+0xb0/0xb0
     ? rcu_read_lock_bh_held+0xb0/0xb0
     __x64_sys_sendto+0x6f/0x80
     do_syscall_64+0x34/0xb0
     entry_SYSCALL_64_after_hwframe+0x46/0xb0
    RIP: 0033:0x7f1d126e4531
    Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45
    31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89
    RSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
    RAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531
    RDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014
    RBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-993024
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b59868b7");
  # https://lore.kernel.org/linux-cve-announce/2025091549-CVE-2022-50248-edcb@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c05aef01");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-50248");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-50248");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/31");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060a|20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060a / 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060a',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Dec 2025 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.17.8
EPSS0.0015
4