Unity Linux 20.1050e Security Update: kernel (UTSA-2026-005191)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(296961);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/27");

  script_cve_id("CVE-2024-57996");

  script_name(english:"Unity Linux 20.1050e Security Update: kernel (UTSA-2026-005191)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-005191 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    net_sched: sch_sfq: don't allow 1 packet limit

    The current implementation does not work correctly with a limit of
    1. iproute2 actually checks for this and this patch adds the check in
    kernel as well.

    This fixes the following syzkaller reported crash:

    UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6
    index 65535 is out of range for type 'struct sfq_head[128]'
    CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
    Call Trace:
      __dump_stack lib/dump_stack.c:79 [inline]
      dump_stack+0x125/0x19f lib/dump_stack.c:120
      ubsan_epilogue lib/ubsan.c:148 [inline]
      __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347
      sfq_link net/sched/sch_sfq.c:210 [inline]
      sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238
      sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500
      sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525
      qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026
      tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319
      qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026
      dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296
      netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]
      dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362
      __dev_close_many+0x214/0x350 net/core/dev.c:1468
      dev_close_many+0x207/0x510 net/core/dev.c:1506
      unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738
      unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695
      unregister_netdevice include/linux/netdevice.h:2893 [inline]
      __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689
      tun_detach drivers/net/tun.c:705 [inline]
      tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640
      __fput+0x203/0x840 fs/file_table.c:280
      task_work_run+0x129/0x1b0 kernel/task_work.c:185
      exit_task_work include/linux/task_work.h:33 [inline]
      do_exit+0x5ce/0x2200 kernel/exit.c:931
      do_group_exit+0x144/0x310 kernel/exit.c:1046
      __do_sys_exit_group kernel/exit.c:1057 [inline]
      __se_sys_exit_group kernel/exit.c:1055 [inline]
      __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055
     do_syscall_64+0x6c/0xd0
     entry_SYSCALL_64_after_hwframe+0x61/0xcb
    RIP: 0033:0x7fe5e7b52479
    Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.
    RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479
    RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
    RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014
    R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0
    R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270

    The crash can be also be reproduced with the following (with a tc
    recompiled to allow for sfq limits of 1):

    tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s
    ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1
    ifconfig dummy0 up
    ping -I dummy0 -f -c2 -W0.1 8.8.8.8
    sleep 1

    Scenario that triggers the crash:

    * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1

    * TBF dequeues: it peeks from SFQ which moves the packet to the
      gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so
      it schedules itself for later.

    * the second packet is sent and TBF tries to queues it to SFQ. qdisc
      qlen is now 2 and because the SFQ limit is 1 the packet is dropped
      by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,
      however q->tail is not NULL.

    At this point, assuming no more packets are queued, when sch_dequeue
    runs again it will decrement the qlen for the current empty slot
    causing an underflow and the subsequent out of bounds access.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-005191
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6362661c");
  # https://lore.kernel.org/linux-cve-announce/2025022640-CVE-2024-57996-b670@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?991a6bad");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-57996");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-57996");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1050e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1050e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1050e',
    'pkgs': [
      {'reference':'kernel-4.19.90-2211.5.0.0178.47', 'sp':'1050e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2211.5.0.0178.47', 'sp':'1050e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2211.5.0.0178.47', 'sp':'1050e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}