Lucene search
K

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010785)

🗓️ 21 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Kernel fix for use-after-free in binder caused by race between alloc->vma and munmap.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(308915);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/21");

  script_cve_id("CVE-2023-54157");

  script_name(english:"Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010785)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-010785 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    binder: fix UAF of alloc->vma in race with munmap()

    [ cmllamas: clean forward port from commit 015ac18be7de (binder: fix
      UAF of alloc->vma in race with munmap()) in 5.10 stable. It is needed
      in mainline after the revert of commit a43cfc87caaf (android: binder:
      stop saving a pointer to the VMA) as pointed out by Liam. The commit
      log and tags have been tweaked to reflect this. ]

    In commit 720c24192404 (ANDROID: binder: change down_write to
    down_read) binder assumed the mmap read lock is sufficient to protect
    alloc->vma inside binder_update_page_range(). This used to be accurate
    until commit dd2283f2605e (mm: mmap: zap pages with read mmap_sem in
    munmap), which now downgrades the mmap_lock after detaching the vma
    from the rbtree in munmap(). Then it proceeds to teardown and free the
    vma with only the read lock held.

    This means that accesses to alloc->vma in binder_update_page_range() now
    will race with vm_area_free() in munmap() and can cause a UAF as shown
    in the following KASAN trace:

      ==================================================================
      BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0
      Read of size 8 at addr ffff16204ad00600 by task server/558

      CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1
      Hardware name: linux,dummy-virt (DT)
      Call trace:
       dump_backtrace+0x0/0x2a0
       show_stack+0x18/0x2c
       dump_stack+0xf8/0x164
       print_address_description.constprop.0+0x9c/0x538
       kasan_report+0x120/0x200
       __asan_load8+0xa0/0xc4
       vm_insert_page+0x7c/0x1f0
       binder_update_page_range+0x278/0x50c
       binder_alloc_new_buf+0x3f0/0xba0
       binder_transaction+0x64c/0x3040
       binder_thread_write+0x924/0x2020
       binder_ioctl+0x1610/0x2e5c
       __arm64_sys_ioctl+0xd4/0x120
       el0_svc_common.constprop.0+0xac/0x270
       do_el0_svc+0x38/0xa0
       el0_svc+0x1c/0x2c
       el0_sync_handler+0xe8/0x114
       el0_sync+0x180/0x1c0

      Allocated by task 559:
       kasan_save_stack+0x38/0x6c
       __kasan_kmalloc.constprop.0+0xe4/0xf0
       kasan_slab_alloc+0x18/0x2c
       kmem_cache_alloc+0x1b0/0x2d0
       vm_area_alloc+0x28/0x94
       mmap_region+0x378/0x920
       do_mmap+0x3f0/0x600
       vm_mmap_pgoff+0x150/0x17c
       ksys_mmap_pgoff+0x284/0x2dc
       __arm64_sys_mmap+0x84/0xa4
       el0_svc_common.constprop.0+0xac/0x270
       do_el0_svc+0x38/0xa0
       el0_svc+0x1c/0x2c
       el0_sync_handler+0xe8/0x114
       el0_sync+0x180/0x1c0

      Freed by task 560:
       kasan_save_stack+0x38/0x6c
       kasan_set_track+0x28/0x40
       kasan_set_free_info+0x24/0x4c
       __kasan_slab_free+0x100/0x164
       kasan_slab_free+0x14/0x20
       kmem_cache_free+0xc4/0x34c
       vm_area_free+0x1c/0x2c
       remove_vma+0x7c/0x94
       __do_munmap+0x358/0x710
       __vm_munmap+0xbc/0x130
       __arm64_sys_munmap+0x4c/0x64
       el0_svc_common.constprop.0+0xac/0x270
       do_el0_svc+0x38/0xa0
       el0_svc+0x1c/0x2c
       el0_sync_handler+0xe8/0x114
       el0_sync+0x180/0x1c0

      [...]
      ==================================================================

    To prevent the race above, revert back to taking the mmap write lock
    inside binder_update_page_range(). One might expect an increase of mmap
    lock contention. However, binder already serializes these calls via top
    level alloc->mutex. Also, there was no performance impact shown when
    running the binder benchmark tests.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-010785
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5d12a31f");
  # https://lore.kernel.org/linux-cve-announce/2025122428-CVE-2023-54157-c0c5@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6c3c604e");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2023-54157");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-54157");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060e|20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060e / 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'sw_64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060e',
    'pkgs': [
      {'reference':'kernel-5.10.0-28', 'sp':'1060e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1060e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1060e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1060e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-28', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Apr 2026 00:00Current
5.6Medium risk
Vulners AI Score5.6
EPSS0.00168
3