Lucene search
K

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-993244)

🗓️ 31 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Kernel kprobes disarm logic vulnerability could trigger WARN_ONCE and loop, UTSA-2025-993244.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(281049);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/31");

  script_cve_id("CVE-2022-50008");

  script_name(english:"Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-993244)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-993244 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    kprobes: don't call disarm_kprobe() for disabled kprobes

    The assumption in __disable_kprobe() is wrong, and it could try to disarm
    an already disarmed kprobe and fire the WARN_ONCE() below. [0]  We can
    easily reproduce this issue.

    1. Write 0 to /sys/kernel/debug/kprobes/enabled.

      # echo 0 > /sys/kernel/debug/kprobes/enabled

    2. Run execsnoop.  At this time, one kprobe is disabled.

      # /usr/share/bcc/tools/execsnoop &
      [1] 2460
      PCOMM            PID    PPID   RET ARGS

      # cat /sys/kernel/debug/kprobes/list
      ffffffff91345650  r  __x64_sys_execve+0x0    [FTRACE]
      ffffffff91345650  k  __x64_sys_execve+0x0    [DISABLED][FTRACE]

    3. Write 1 to /sys/kernel/debug/kprobes/enabled, which changes
       kprobes_all_disarmed to false but does not arm the disabled kprobe.

      # echo 1 > /sys/kernel/debug/kprobes/enabled

      # cat /sys/kernel/debug/kprobes/list
      ffffffff91345650  r  __x64_sys_execve+0x0    [FTRACE]
      ffffffff91345650  k  __x64_sys_execve+0x0    [DISABLED][FTRACE]

    4. Kill execsnoop, when __disable_kprobe() calls disarm_kprobe() for the
       disabled kprobe and hits the WARN_ONCE() in __disarm_kprobe_ftrace().

      # fg
      /usr/share/bcc/tools/execsnoop
      ^C

    Actually, WARN_ONCE() is fired twice, and __unregister_kprobe_top() misses
    some cleanups and leaves the aggregated kprobe in the hash table.  Then,
    __unregister_trace_kprobe() initialises tk->rp.kp.list and creates an
    infinite loop like this.

      aggregated kprobe.list -> kprobe.list -.
                                         ^    |
                                         '.__.'

    In this situation, these commands fall into the infinite loop and result
    in RCU stall or soft lockup.

      cat /sys/kernel/debug/kprobes/list : show_kprobe_addr() enters into the
                                           infinite loop with RCU.

      /usr/share/bcc/tools/execsnoop : warn_kprobe_rereg() holds kprobe_mutex,
                                       and __get_valid_kprobe() is stuck in
                                       the loop.

    To avoid the issue, make sure we don't call disarm_kprobe() for disabled
    kprobes.

    [0]
    Failed to disarm kprobe-ftrace at __x64_sys_execve+0x0/0x40 (error -2)
    WARNING: CPU: 6 PID: 2460 at kernel/kprobes.c:1130 __disarm_kprobe_ftrace.isra.19 (kernel/kprobes.c:1129)
    Modules linked in: ena
    CPU: 6 PID: 2460 Comm: execsnoop Not tainted 5.19.0+ #28
    Hardware name: Amazon EC2 c5.2xlarge/, BIOS 1.0 10/16/2017
    RIP: 0010:__disarm_kprobe_ftrace.isra.19 (kernel/kprobes.c:1129)
    Code: 24 8b 02 eb c1 80 3d c4 83 f2 01 00 75 d4 48 8b 75 00 89 c2 48 c7 c7 90 fa 0f 92 89 04 24 c6 05 ab
    83 01 e8 e4 94 f0 ff <0f> 0b 8b 04 24 eb b1 89 c6 48 c7 c7 60 fa 0f 92 89 04 24 e8 cc 94
    RSP: 0018:ffff9e6ec154bd98 EFLAGS: 00010282
    RAX: 0000000000000000 RBX: ffffffff930f7b00 RCX: 0000000000000001
    RDX: 0000000080000001 RSI: ffffffff921461c5 RDI: 00000000ffffffff
    RBP: ffff89c504286da8 R08: 0000000000000000 R09: c0000000fffeffff
    R10: 0000000000000000 R11: ffff9e6ec154bc28 R12: ffff89c502394e40
    R13: ffff89c502394c00 R14: ffff9e6ec154bc00 R15: 0000000000000000
    FS:  00007fe800398740(0000) GS:ffff89c812d80000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000000c00057f010 CR3: 0000000103b54006 CR4: 00000000007706e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    PKRU: 55555554
    Call Trace:
    <TASK>
     __disable_kprobe (kernel/kprobes.c:1716)
     disable_kprobe (kernel/kprobes.c:2392)
     __disable_trace_kprobe (kernel/trace/trace_kprobe.c:340)
     disable_trace_kprobe (kernel/trace/trace_kprobe.c:429)
     perf_trace_event_unreg.isra.2 (./include/linux/tracepoint.h:93 kernel/trace/trace_event_perf.c:168)
     perf_kprobe_destroy (kernel/trace/trace_event_perf.c:295)
     _free_event (kernel/events/core.c:4971)
     perf_event_release_kernel (kernel/events/core.c:5176)
     perf_release (kernel/events/core.c:5186)
     __fput (fs/file_table.c:321)
     task_work_run (./include/linux/
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-993244
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5b7eb91b");
  # https://lore.kernel.org/linux-cve-announce/2025061830-CVE-2022-50008-09c7@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dcb329c9");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-50008");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-50008");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/31");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060a|20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060a / 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060a',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Dec 2025 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.15.5
EPSS0.00204
2