Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-005692)

🗓️ 04 Mar 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Linux kernel fix for pointer leak from speculative store bypass; sanitize scalar writes overwriting pointers.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(300669);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/04");

  script_cve_id("CVE-2023-53024");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2026-005692)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-005692 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation

    To mitigate Spectre v4, 2039f26f3aca (bpf: Fix leakage due to
    insufficient speculative store bypass mitigation) inserts lfence
    instructions after 1) initializing a stack slot and 2) spilling a
    pointer to the stack.

    However, this does not cover cases where a stack slot is first
    initialized with a pointer (subject to sanitization) but then
    overwritten with a scalar (not subject to sanitization because
    the slot was already initialized). In this case, the second write
    may be subject to speculative store bypass (SSB) creating a
    speculative pointer-as-scalar type confusion. This allows the
    program to subsequently leak the numerical pointer value using,
    for example, a branch-based cache side channel.

    To fix this, also sanitize scalars if they write a stack slot
    that previously contained a pointer. Assuming that pointer-spills
    are only generated by LLVM on register-pressure, the performance
    impact on most real-world BPF programs should be small.

    The following unprivileged BPF bytecode drafts a minimal exploit
    and the mitigation:

      [...]
      // r6 = 0 or 1 (skalar, unknown user input)
      // r7 = accessible ptr for side channel
      // r10 = frame pointer (fp), to be leaked
      //
      r9 = r10 # fp alias to encourage ssb
      *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked
      // lfence added here because of pointer spill to stack.
      //
      // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor
      // for no r9-r10 dependency.
      //
      *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr
      // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,
      // store may be subject to SSB
      //
      // fix: also add an lfence when the slot contained a ptr
      //
      r8 = *(u64 *)(r9 - 8)
      // r8 = architecturally a scalar, speculatively a ptr
      //
      // leak ptr using branch-based cache side channel:
      r8 &= 1 // choose bit to leak
      if r8 == 0 goto SLOW // no mispredict
      // architecturally dead code if input r6 is 0,
      // only executes speculatively iff ptr bit is 1
      r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)
    SLOW:
      [...]

    After running this, the program can time the access to *(r7 + 0) to
    determine whether the chosen pointer bit was 0 or 1. Repeat this 64
    times to recover the whole address on amd64.

    In summary, sanitization can only be skipped if one scalar is
    overwritten with another scalar. Scalar-confusion due to speculative
    store bypass can not lead to invalid accesses because the pointer
    bounds deducted during verification are enforced using branchless
    logic. See 979d63d50c0c (bpf: prevent out of bounds speculation on
    pointer arithmetic) for details.

    Do not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}
    because speculative leaks are likely unexpected if these were enabled.
    For example, leaking the address to a protected log file may be acceptable
    while disabling the mitigation might unintentionally leak the address
    into the cached-state of a map that is accessible to unprivileged
    processes.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-005692
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?338b64d3");
  # https://lore.kernel.org/linux-cve-announce/2025032719-CVE-2023-53024-8d19@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d9cf28ef");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2023-53024");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-53024");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-4.19.0-91.82.190.007', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.0-91.82.190.007', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.0-91.82.190.007', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Mar 2026 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.17.1
EPSS0.00189
2