Lucene search
K

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-005095)

🗓️ 27 Jan 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Unity Linux 20.1050e kernel fixes media xc2028 use-after-free in load_firmware_cb.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(296890);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/27");

  script_cve_id("CVE-2024-43900");

  script_name(english:"Unity Linux 20.1050e Security Update: kernel (UTSA-2026-005095)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-005095 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    media: xc2028: avoid use-after-free in load_firmware_cb()

    syzkaller reported use-after-free in load_firmware_cb() [1].
    The reason is because the module allocated a struct tuner in tuner_probe(),
    and then the module initialization failed, the struct tuner was released.
    A worker which created during module initialization accesses this struct
    tuner later, it caused use-after-free.

    The process is as follows:

    task-6504           worker_thread
    tuner_probe                             <= alloc dvb_frontend [2]
    ...
    request_firmware_nowait                 <= create a worker
    ...
    tuner_remove                            <= free dvb_frontend
    ...
                        request_firmware_work_func  <= the firmware is ready
                        load_firmware_cb    <= but now the dvb_frontend has been freed

    To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is
    null, report a warning and just return.

    [1]:
        ==================================================================
         BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0
         Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504

         Call trace:
          load_firmware_cb+0x1310/0x17a0
          request_firmware_work_func+0x128/0x220
          process_one_work+0x770/0x1824
          worker_thread+0x488/0xea0
          kthread+0x300/0x430
          ret_from_fork+0x10/0x20

         Allocated by task 6504:
          kzalloc
          tuner_probe+0xb0/0x1430
          i2c_device_probe+0x92c/0xaf0
          really_probe+0x678/0xcd0
          driver_probe_device+0x280/0x370
          __device_attach_driver+0x220/0x330
          bus_for_each_drv+0x134/0x1c0
          __device_attach+0x1f4/0x410
          device_initial_probe+0x20/0x30
          bus_probe_device+0x184/0x200
          device_add+0x924/0x12c0
          device_register+0x24/0x30
          i2c_new_device+0x4e0/0xc44
          v4l2_i2c_new_subdev_board+0xbc/0x290
          v4l2_i2c_new_subdev+0xc8/0x104
          em28xx_v4l2_init+0x1dd0/0x3770

         Freed by task 6504:
          kfree+0x238/0x4e4
          tuner_remove+0x144/0x1c0
          i2c_device_remove+0xc8/0x290
          __device_release_driver+0x314/0x5fc
          device_release_driver+0x30/0x44
          bus_remove_device+0x244/0x490
          device_del+0x350/0x900
          device_unregister+0x28/0xd0
          i2c_unregister_device+0x174/0x1d0
          v4l2_device_unregister+0x224/0x380
          em28xx_v4l2_init+0x1d90/0x3770

         The buggy address belongs to the object at ffff8000d7ca2000
          which belongs to the cache kmalloc-2k of size 2048
         The buggy address is located 776 bytes inside of
          2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)
         The buggy address belongs to the page:
         page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0
         flags: 0x7ff800000000100(slab)
         raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000
         raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
         page dumped because: kasan: bad access detected

         Memory state around the buggy address:
          ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
          ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
         >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
          ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
          ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
         ==================================================================

    [2]
        Actually, it is allocated for struct tuner, and dvb_frontend is inside.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-005095
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?51b794c1");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-43900");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-43900");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/08/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1050e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1050e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1050e',
    'pkgs': [
      {'reference':'kernel-4.19.90-2211.5.0.0178.47', 'sp':'1050e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2211.5.0.0178.47', 'sp':'1050e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2211.5.0.0178.47', 'sp':'1050e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

27 Jan 2026 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.17.8
EPSS0.00214
SSVC
3