Lucene search
K

Unity Linux 20.1050a Security Update: kernel (UTSA-2026-007015)

🗓️ 21 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 9 Views

Unity Linux 20.1050a fixes atmtcp_recv_control arbitrary write via sendmsg and adds pre_send check.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(308224);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/21");

  script_cve_id("CVE-2025-39828");

  script_name(english:"Unity Linux 20.1050a Security Update: kernel (UTSA-2026-007015)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-007015 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().

    syzbot reported the splat below. [0]

    When atmtcp_v_open() or atmtcp_v_close() is called via connect()
    or close(), atmtcp_send_control() is called to send an in-kernel
    special message.

    The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.
    Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc.

    The notable thing is struct atmtcp_control is uAPI but has a
    space for an in-kernel pointer.

      struct atmtcp_control {
            struct atmtcp_hdr hdr;  /* must be first */
      ...
            atm_kptr_t vcc;         /* both directions */
      ...
      } __ATM_API_ALIGN;

      typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;

    The special message is processed in atmtcp_recv_control() called
    from atmtcp_c_send().

    atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths:

      1. .ndo_start_xmit() (vcc->send() == atm_send_aal0())
      2. vcc_sendmsg()

    The problem is sendmsg() does not validate the message length and
    userspace can abuse atmtcp_recv_control() to overwrite any kptr
    by atmtcp_control.

    Let's add a new ->pre_send() hook to validate messages from sendmsg().

    [0]:
    Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN
    PTI
    KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]
    CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0
    PREEMPT(full)
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
    RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]
    RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297
    Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05
    00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c
    RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203
    RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000
    RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c
    RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd
    R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000
    R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff
    FS:  00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0
    Call Trace:
     <TASK>
     vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645
     sock_sendmsg_nosec net/socket.c:714 [inline]
     __sock_sendmsg+0x219/0x270 net/socket.c:729
     ____sys_sendmsg+0x505/0x830 net/socket.c:2614
     ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
     __sys_sendmsg net/socket.c:2700 [inline]
     __do_sys_sendmsg net/socket.c:2705 [inline]
     __se_sys_sendmsg net/socket.c:2703 [inline]
     __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
     do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    RIP: 0033:0x7f8d7e96a4a9
    Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d
    89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9
    RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005
    RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f
    R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac
    R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250
     </TASK>
    Modules linked in:

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-007015
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fd92f059");
  # https://lore.kernel.org/linux-cve-announce/2025091617-CVE-2025-39828-c69f@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5910350c");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2025-39828");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-39828");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/09/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1050a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1050a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1050a',
    'pkgs': [
      {'reference':'kernel-5.10.0-27.5', 'sp':'1050a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-27.5', 'sp':'1050a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-27.5', 'sp':'1050a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Apr 2026 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.17.8
EPSS0.00157
9