Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005422)

🗓️ 02 Mar 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Unity Linux kernel update fixes IMA policy panic by avoiding blocking in RCU reads.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(300218);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/02");

  script_cve_id("CVE-2024-40947");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005422)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-005422 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ima: Avoid blocking in RCU read-side critical section

    A panic happens in ima_match_policy:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
    PGD 42f873067 P4D 0
    Oops: 0000 [#1] SMP NOPTI
    CPU: 5 PID: 1286325 Comm: kubeletmonit.sh
    Kdump: loaded Tainted: P
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
                   BIOS 0.0.0 02/06/2015
    RIP: 0010:ima_match_policy+0x84/0x450
    Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39
          7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d
          f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea
          44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
    RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
    RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
    RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
    RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
    R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
    R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
    FS:  00007f5195b51740(0000)
    GS:ff3e278b12d40000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     ima_get_action+0x22/0x30
     process_measurement+0xb0/0x830
     ? page_add_file_rmap+0x15/0x170
     ? alloc_set_pte+0x269/0x4c0
     ? prep_new_page+0x81/0x140
     ? simple_xattr_get+0x75/0xa0
     ? selinux_file_open+0x9d/0xf0
     ima_file_check+0x64/0x90
     path_openat+0x571/0x1720
     do_filp_open+0x9b/0x110
     ? page_counter_try_charge+0x57/0xc0
     ? files_cgroup_alloc_fd+0x38/0x60
     ? __alloc_fd+0xd4/0x250
     ? do_sys_open+0x1bd/0x250
     do_sys_open+0x1bd/0x250
     do_syscall_64+0x5d/0x1d0
     entry_SYSCALL_64_after_hwframe+0x65/0xca

    Commit c7423dbdbc9e (ima: Handle -ESTALE returned by
    ima_filter_rule_match()) introduced call to ima_lsm_copy_rule within a
    RCU read-side critical section which contains kmalloc with GFP_KERNEL.
    This implies a possible sleep and violates limitations of RCU read-side
    critical sections on non-PREEMPT systems.

    Sleeping within RCU read-side critical section might cause
    synchronize_rcu() returning early and break RCU protection, allowing a
    UAF to happen.

    The root cause of this issue could be described as follows:
    |       Thread A        |       Thread B        |
    |                       |ima_match_policy       |
    |                       |  rcu_read_lock        |
    |ima_lsm_update_rule    |                       |
    |  synchronize_rcu      |                       |
    |                       |    kmalloc(GFP_KERNEL)|
    |                       |      sleep            |
    ==> synchronize_rcu returns early
    |  kfree(entry)         |                       |
    |                       |    entry = entry->next|
    ==> UAF happens and entry now becomes NULL (or could be anything).
    |                       |    entry->action      |
    ==> Accessing entry might cause panic.

    To fix this issue, we are converting all kmalloc that is called within
    RCU read-side critical section to use GFP_ATOMIC.

    [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-005422
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?122e6068");
  # https://lore.kernel.org/linux-cve-announce/2024071221-CVE-2024-40947-4782@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e46c507b");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-40947");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-40947");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/07/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'sw_64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-4.19.90-2601.1.0.0002', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2601.1.0.0002', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2601.1.0.0002', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2601.1.0.0002', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Mar 2026 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.15.5
EPSS0.0025
SSVC
3