Lucene search
K

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-005184)

🗓️ 27 Jan 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Unity Linux kernel update fixes tcp/dccp use-after-free and prevents reqsk_queue_unlink timer race.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(296953);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/27");

  script_cve_id("CVE-2024-50154");

  script_name(english:"Unity Linux 20.1050e Security Update: kernel (UTSA-2026-005184)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-005184 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

    Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().

      
      We are seeing a use-after-free from a bpf prog attached to
      trace_tcp_retransmit_synack. The program passes the req->sk to the
      bpf_sk_storage_get_tracing kernel helper which does check for null
      before using it.
      

    The commit 83fccfc3940c (inet: fix potential deadlock in
    reqsk_queue_unlink()) added timer_pending() in reqsk_queue_unlink() not
    to call del_timer_sync() from reqsk_timer_handler(), but it introduced a
    small race window.

    Before the timer is called, expire_timers() calls detach_timer(timer, true)
    to clear timer->entry.pprev and marks it as not pending.

    If reqsk_queue_unlink() checks timer_pending() just after expire_timers()
    calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will
    continue running and send multiple SYN+ACKs until it expires.

    The reported UAF could happen if req->sk is close()d earlier than the timer
    expiration, which is 63s by default.

    The scenario would be

      1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),
         but del_timer_sync() is missed

      2. reqsk timer is executed and scheduled again

      3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but
         reqsk timer still has another one, and inet_csk_accept() does not
         clear req->sk for non-TFO sockets

      4. sk is close()d

      5. reqsk timer is executed again, and BPF touches req->sk

    Let's not use timer_pending() by passing the caller context to
    __inet_csk_reqsk_queue_drop().

    Note that reqsk timer is pinned, so the issue does not happen in most
    use cases. [1]

    [0]
    BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0

    Use-after-free read at 0x00000000a891fb3a (in kfence-#1):
    bpf_sk_storage_get_tracing+0x2e/0x1b0
    bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda
    bpf_trace_run2+0x4c/0xc0
    tcp_rtx_synack+0xf9/0x100
    reqsk_timer_handler+0xda/0x3d0
    run_timer_softirq+0x292/0x8a0
    irq_exit_rcu+0xf5/0x320
    sysvec_apic_timer_interrupt+0x6d/0x80
    asm_sysvec_apic_timer_interrupt+0x16/0x20
    intel_idle_irq+0x5a/0xa0
    cpuidle_enter_state+0x94/0x273
    cpu_startup_entry+0x15e/0x260
    start_secondary+0x8a/0x90
    secondary_startup_64_no_verify+0xfa/0xfb

    kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6

    allocated by task 0 on cpu 9 at 260507.901592s:
    sk_prot_alloc+0x35/0x140
    sk_clone_lock+0x1f/0x3f0
    inet_csk_clone_lock+0x15/0x160
    tcp_create_openreq_child+0x1f/0x410
    tcp_v6_syn_recv_sock+0x1da/0x700
    tcp_check_req+0x1fb/0x510
    tcp_v6_rcv+0x98b/0x1420
    ipv6_list_rcv+0x2258/0x26e0
    napi_complete_done+0x5b1/0x2990
    mlx5e_napi_poll+0x2ae/0x8d0
    net_rx_action+0x13e/0x590
    irq_exit_rcu+0xf5/0x320
    common_interrupt+0x80/0x90
    asm_common_interrupt+0x22/0x40
    cpuidle_enter_state+0xfb/0x273
    cpu_startup_entry+0x15e/0x260
    start_secondary+0x8a/0x90
    secondary_startup_64_no_verify+0xfa/0xfb

    freed by task 0 on cpu 9 at 260507.927527s:
    rcu_core_si+0x4ff/0xf10
    irq_exit_rcu+0xf5/0x320
    sysvec_apic_timer_interrupt+0x6d/0x80
    asm_sysvec_apic_timer_interrupt+0x16/0x20
    cpuidle_enter_state+0xfb/0x273
    cpu_startup_entry+0x15e/0x260
    start_secondary+0x8a/0x90
    secondary_startup_64_no_verify+0xfa/0xfb

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-005184
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?de1c1af5");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-50154");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-50154");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/11/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1050e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1050e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1050e',
    'pkgs': [
      {'reference':'kernel-4.19.90-2211.5.0.0178.47', 'sp':'1050e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2211.5.0.0178.47', 'sp':'1050e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2211.5.0.0178.47', 'sp':'1050e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

27 Jan 2026 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.17 - 7.8
EPSS0.00241
SSVC
3