Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005444)

🗓️ 03 Mar 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Unity Linux 20.1070e security update fixes a kernel race in openvswitch port output.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(300372);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/03");

  script_cve_id("CVE-2023-53188");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005444)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-005444 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    net: openvswitch: fix race on port output

    assume the following setup on a single machine:
    1. An openvswitch instance with one bridge and default flows
    2. two network namespaces server and client
    3. two ovs interfaces server and client on the bridge
    4. for each ovs interface a veth pair with a matching name and 32 rx and
       tx queues
    5. move the ends of the veth pairs to the respective network namespaces
    6. assign ip addresses to each of the veth ends in the namespaces (needs
       to be the same subnet)
    7. start some http server on the server network namespace
    8. test if a client in the client namespace can reach the http server

    when following the actions below the host has a chance of getting a cpu
    stuck in a infinite loop:
    1. send a large amount of parallel requests to the http server (around
       3000 curls should work)
    2. in parallel delete the network namespace (do not delete interfaces or
       stop the server, just kill the namespace)

    there is a low chance that this will cause the below kernel cpu stuck
    message. If this does not happen just retry.
    Below there is also the output of bpftrace for the functions mentioned
    in the output.

    The series of events happening here is:
    1. the network namespace is deleted calling
       `unregister_netdevice_many_notify` somewhere in the process
    2. this sets first `NETREG_UNREGISTERING` on both ends of the veth and
       then runs `synchronize_net`
    3. it then calls `call_netdevice_notifiers` with `NETDEV_UNREGISTER`
    4. this is then handled by `dp_device_event` which calls
       `ovs_netdev_detach_dev` (if a vport is found, which is the case for
       the veth interface attached to ovs)
    5. this removes the rx_handlers of the device but does not prevent
       packages to be sent to the device
    6. `dp_device_event` then queues the vport deletion to work in
       background as a ovs_lock is needed that we do not hold in the
       unregistration path
    7. `unregister_netdevice_many_notify` continues to call
       `netdev_unregister_kobject` which sets `real_num_tx_queues` to 0
    8. port deletion continues (but details are not relevant for this issue)
    9. at some future point the background task deletes the vport

    If after 7. but before 9. a packet is send to the ovs vport (which is
    not deleted at this point in time) which forwards it to the
    `dev_queue_xmit` flow even though the device is unregistering.
    In `skb_tx_hash` (which is called in the `dev_queue_xmit`) path there is
    a while loop (if the packet has a rx_queue recorded) that is infinite if
    `dev->real_num_tx_queues` is zero.

    To prevent this from happening we update `do_output` to handle devices
    without carrier the same as if the device is not found (which would
    be the code path after 9. is done).

    Additionally we now produce a warning in `skb_tx_hash` if we will hit
    the infinite loop.

    bpftrace (first word is function name):

    __dev_queue_xmit server: real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr:
    0xffff9edb6f207000, reg_state: 1
    netdev_core_pick_tx server: addr: 0xffff9f0a46d4a000 real_num_tx_queues: 1, cpu: 2, pid: 28024, tid:
    28024, skb_addr: 0xffff9edb6f207000, reg_state: 1
    dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 2, reg_state: 1
    synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
    synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
    synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
    synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
    dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 6, reg_state: 2
    ovs_netdev_detach_dev server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, reg_state: 2
    netdev_rx_handler_unregister server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2
    synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
    netdev_rx_handler_unregister ret server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state:
    2
    dp_
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-005444
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8e53fe82");
  # https://lore.kernel.org/linux-cve-announce/2025091557-CVE-2023-53188-373f@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?44033c2d");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2023-53188");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-53188");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/05/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'sw_64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

03 Mar 2026 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.14.7
EPSS0.00104
2