Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-005790)

🗓️ 03 Mar 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Unity Linux UTSA-2026-005790 fixes slab use-after-free in tipc_aead_encrypt_done.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(300313);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/03");

  script_cve_id("CVE-2025-38052");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2026-005790)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-005790 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done

    Syzbot reported a slab-use-after-free with the following call trace:

      ==================================================================
      BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840
      Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25

      Call Trace:
       kasan_report+0xd9/0x110 mm/kasan/report.c:601
       tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840
       crypto_request_complete include/crypto/algapi.h:266
       aead_request_complete include/crypto/internal/aead.h:85
       cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772
       crypto_request_complete include/crypto/algapi.h:266
       cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181
       process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231

      Allocated by task 8355:
       kzalloc_noprof include/linux/slab.h:778
       tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466
       tipc_init_net+0x2dd/0x430 net/tipc/core.c:72
       ops_init+0xb9/0x650 net/core/net_namespace.c:139
       setup_net+0x435/0xb40 net/core/net_namespace.c:343
       copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508
       create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110
       unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
       ksys_unshare+0x419/0x970 kernel/fork.c:3323
       __do_sys_unshare kernel/fork.c:3394

      Freed by task 63:
       kfree+0x12a/0x3b0 mm/slub.c:4557
       tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539
       tipc_exit_net+0x8c/0x110 net/tipc/core.c:119
       ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173
       cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
       process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231

    After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done
    may still visit it in cryptd_queue_worker workqueue.

    I reproduce this issue by:
      ip netns add ns1
      ip link add veth1 type veth peer name veth2
      ip link set veth1 netns ns1
      ip netns exec ns1 tipc bearer enable media eth dev veth1
      ip netns exec ns1 tipc node set key this_is_a_master_key master
      ip netns exec ns1 tipc bearer disable media eth dev veth1
      ip netns del ns1

    The key of reproduction is that, simd_aead_encrypt is interrupted, leading
    to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is
    triggered, and the tipc_crypto tx will be visited.

      tipc_disc_timeout
        tipc_bearer_xmit_skb
          tipc_crypto_xmit
            tipc_aead_encrypt
              crypto_aead_encrypt
                // encrypt()
                simd_aead_encrypt
                  // crypto_simd_usable() is false
                  child = &ctx->cryptd_tfm->base;

      simd_aead_encrypt
        crypto_aead_encrypt
          // encrypt()
          cryptd_aead_encrypt_enqueue
            cryptd_aead_enqueue
              cryptd_enqueue_request
                // trigger cryptd_queue_worker
                queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work)

    Fix this by holding net reference count before encrypt.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-005790
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c2d96f27");
  # https://lore.kernel.org/linux-cve-announce/2025061832-CVE-2025-38052-6201@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?11a839f8");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2025-38052");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-38052");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.7', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

03 Mar 2026 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.17.8
EPSS0.00171
4