Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000502)

🗓️ 07 Jan 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Unity Linux 20.1070e security update fixes double free of blk_mq_tag_set on device removal.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(282129);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/07");

  script_cve_id("CVE-2021-46938");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000502)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-000502 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails

    When loading a device-mapper table for a request-based mapped device,
    and the allocation/initialization of the blk_mq_tag_set for the device
    fails, a following device remove will cause a double free.

    E.g. (dmesg):
      device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device
      device-mapper: ioctl: unable to set up device queue for new table.
      Unable to handle kernel pointer dereference in virtual kernel address space
      Failing address: 0305e098835de000 TEID: 0305e098835de803
      Fault in home space mode while using kernel ASCE.
      AS:000000025efe0007 R3:0000000000000024
      Oops: 0038 ilc:3 [#1] SMP
      Modules linked in: ... lots of modules ...
      Supported: Yes, External
      CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G        W      X    5.3.18-53-default #1
    SLE15-SP3
      Hardware name: IBM 8561 T01 7I2 (LPAR)
      Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330)
                 R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
      Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000
                 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000
                 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640
                 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8
      Krnl Code: 000000025e368eb8: c4180041e100       lgrl    %r1,25eba50b8
                 000000025e368ebe: ecba06b93a55       risbg   %r11,%r10,6,185,58
                #000000025e368ec4: e3b010000008       ag      %r11,0(%r1)
                >000000025e368eca: e310b0080004       lg      %r1,8(%r11)
                 000000025e368ed0: a7110001           tmll    %r1,1
                 000000025e368ed4: a7740129           brc     7,25e369126
                 000000025e368ed8: e320b0080004       lg      %r2,8(%r11)
                 000000025e368ede: b904001b           lgr     %r1,%r11
      Call Trace:
       [<000000025e368eca>] kfree+0x42/0x330
       [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8
       [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod]
       [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod]
       [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod]
       [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod]
       [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod]
       [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod]
       [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0
       [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40
       [<000000025e8c15ac>] system_call+0xd8/0x2c8
      Last Breaking-Event-Address:
       [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8
      Kernel panic - not syncing: Fatal exception: panic_on_oops

    When allocation/initialization of the blk_mq_tag_set fails in
    dm_mq_init_request_queue(), it is uninitialized/freed, but the pointer
    is not reset to NULL; so when dev_remove() later gets into
    dm_mq_cleanup_mapped_device() it sees the pointer and tries to
    uninitialize and free it again.

    Fix this by setting the pointer to NULL in dm_mq_init_request_queue()
    error-handling. Also set it to NULL in dm_mq_cleanup_mapped_device().

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-000502
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?57d4c866");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2021-46938");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-46938");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/01/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('sw_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-4.19.90-2403.3.0.0270.100.uel20', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jan 2026 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.17.8
EPSS0.00248
SSVC
2