Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-004022)

🗓️ 16 Jan 2026 00:00:00Reported by TenableType

Unity Linux 20.1060a fixes kernel bpf verifier out-of-bounds in 5.5.0+ and 5.4.7+.

Reporter	Title	Published	Views	Family All 86
Gitee	Exploit for Improper Access Control in Xen	24 Jan 202110:46	–	gitee
Gitee	Exploit for Improper Access Control in Xen	14 Aug 202123:00	–	gitee
Gitee	Exploit for Incorrect Conversion between Numeric Types in Linux Linux_Kernel	21 Nov 202113:53	–	gitee
0day.today	Linux eBPF ALU32 32-bit Invalid Bounds Tracking Local Privilege Escalation Exploit	1 Sep 202100:00	–	zdt
ATTACKERKB	CVE-2021-33909	20 Jul 202100:00	–	attackerkb
ATTACKERKB	CVE-2020-8835	30 Mar 202000:00	–	attackerkb
ArchLinux	[ASA-202004-2] linux-hardened: privilege escalation	1 Apr 202000:00	–	archlinux
ArchLinux	[ASA-202004-3] linux-lts: privilege escalation	1 Apr 202000:00	–	archlinux
ArchLinux	[ASA-202004-4] linux: privilege escalation	1 Apr 202000:00	–	archlinux
Circl	CVE-2020-8835	25 Apr 202023:00	–	circl

Source	Link
nessus	www.nessus.org/u
openwall	www.openwall.com/lists/oss-security/2021/07/20/1
nessus	www.nessus.org/u
nessus	www.nessus.org/u
nessus	www.nessus.org/u
nessus	www.nessus.org/u
nessus	www.nessus.org/u
nessus	www.nessus.org/u
security-tracker	www.security-tracker.debian.org/tracker/CVE-2020-8835
security	www.security.netapp.com/advisory/ntap-20200430-0004/

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(288223);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/10");

  script_cve_id("CVE-2020-8835");

  script_name(english:"Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-004022)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-004022 advisory.

    In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict
    the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The
    vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit
    was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka
    ZDI-CAN-10780)

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-004022
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d86f3ca");
  script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2021/07/20/1");
  # https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b52ede73");
  # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f21e4152");
  # https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f4d00e37");
  # https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c65d7c3b");
  # https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?81cbb3d8");
  # https://lore.kernel.org/bpf/20200330160324.15259-1-daniel%40iogearbox.net/T/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d22a1605");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-8835");
  script_set_attribute(attribute:"see_also", value:"https://security.netapp.com/advisory/ntap-20200430-0004/");
  script_set_attribute(attribute:"see_also", value:"https://usn.ubuntu.com/4313-1/");
  script_set_attribute(attribute:"see_also", value:"https://usn.ubuntu.com/usn/usn-4313-1");
  script_set_attribute(attribute:"see_also", value:"https://www.openwall.com/lists/oss-security/2020/03/30/3");
  script_set_attribute(attribute:"see_also", value:"https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-8835");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060a|20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060a / 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060a',
    'pkgs': [
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-46.38', 'sp':'1060a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.5', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

10 Feb 2026 00:00Current

6.9Medium risk

Vulners AI Score6.9

CVSS 27.2

CVSS 3.17.8

EPSS0.23269