Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005565)

🗓️ 04 Mar 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Unity Linux 20.1070e kernel update fixes br_netfilter panic with untagged traffic on a VxLAN bridge.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(300544);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/04");

  script_cve_id("CVE-2024-50045");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2026-005565)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-005565 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    netfilter: br_netfilter: fix panic with metadata_dst skb

    Fix a kernel panic in the br_netfilter module when sending untagged
    traffic via a VxLAN device.
    This happens during the check for fragmentation in br_nf_dev_queue_xmit.

    It is dependent on:
    1) the br_netfilter module being loaded;
    2) net.bridge.bridge-nf-call-iptables set to 1;
    3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;
    4) untagged frames with size higher than the VxLAN MTU forwarded/flooded

    When forwarding the untagged packet to the VxLAN bridge port, before
    the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and
    changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type
    of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL.

    Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check
    for frames that needs to be fragmented: frames with higher MTU than the
    VxLAN device end up calling br_nf_ip_fragment, which in turns call
    ip_skb_dst_mtu.

    The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst
    with valid dst->dev, thus the crash.

    This case was never supported in the first place, so drop the packet
    instead.

    PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.
    [  176.291791] Unable to handle kernel NULL pointer dereference at
    virtual address 0000000000000110
    [  176.292101] Mem abort info:
    [  176.292184]   ESR = 0x0000000096000004
    [  176.292322]   EC = 0x25: DABT (current EL), IL = 32 bits
    [  176.292530]   SET = 0, FnV = 0
    [  176.292709]   EA = 0, S1PTW = 0
    [  176.292862]   FSC = 0x04: level 0 translation fault
    [  176.293013] Data abort info:
    [  176.293104]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
    [  176.293488]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
    [  176.293787]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
    [  176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000
    [  176.294166] [0000000000000110] pgd=0000000000000000,
    p4d=0000000000000000
    [  176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
    [  176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth
    br_netfilter bridge stp llc ipv6 crct10dif_ce
    [  176.295923] CPU: 0 PID: 188 Comm: ping Not tainted
    6.8.0-rc3-g5b3fbd61b9d1 #2
    [  176.296314] Hardware name: linux,dummy-virt (DT)
    [  176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS
    BTYPE=--)
    [  176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]
    [  176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]
    [  176.297636] sp : ffff800080003630
    [  176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:
    ffff6828c49ad9f8
    [  176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:
    00000000000003e8
    [  176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:
    ffff6828c3b16d28
    [  176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:
    0000000000000014
    [  176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:
    0000000095744632
    [  176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:
    ffffb7e137926a70
    [  176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :
    0000000000000000
    [  176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :
    f20e0100bebafeca
    [  176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :
    0000000000000000
    [  176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :
    ffff6828c7f918f0
    [  176.300889] Call trace:
    [  176.301123]  br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]
    [  176.301411]  br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]
    [  176.301703]  nf_hook_slow+0x48/0x124
    [  176.302060]  br_forward_finish+0xc8/0xe8 [bridge]
    [  176.302371]  br_nf_hook_thresh+0x124/0x134 [br_netfilter]
    [  176.302605]  br_nf_forward_finish+0x118/0x22c [br_netfilter]
    [  176.302824]  br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]
    [  176.303136]  br_nf_forward+0x2b8/0x4e0 [br_netfilter]
    [  176.303359]  nf_hook_slow+0x48/0x124
    [  176.303
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-005565
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e77b35f");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-50045");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-50045");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/12/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'sw_64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-4.19.90-2601.1.0.0002', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2601.1.0.0002', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2601.1.0.0002', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2601.1.0.0002', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Mar 2026 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.15.5
EPSS0.00258
SSVC
4