Lucene search
K

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010799)

🗓️ 21 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 7 Views

Kernel security update fixes out-of-bounds write in tracing hist var_ref_idx with synth parameters.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(308760);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/21");

  script_cve_id("CVE-2022-50553");

  script_name(english:"Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010799)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-010799 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    tracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx'

    When generate a synthetic event with many params and then create a trace
    action for it [1], kernel panic happened [2].

    It is because that in trace_action_create() 'data->n_params' is up to
    SYNTH_FIELDS_MAX (current value is 64), and array 'data->var_ref_idx'
    keeps indices into array 'hist_data->var_refs' for each synthetic event
    param, but the length of 'data->var_ref_idx' is TRACING_MAP_VARS_MAX
    (current value is 16), so out-of-bound write happened when 'data->n_params'
    more than 16. In this case, 'data->match_data.event' is overwritten and
    eventually cause the panic.

    To solve the issue, adjust the length of 'data->var_ref_idx' to be
    SYNTH_FIELDS_MAX and add sanity checks to avoid out-of-bound write.

    [1]
     # cd /sys/kernel/tracing/
     # echo my_synth_event int v1; int v2; int v3; int v4; int v5; int v6;\
    int v7; int v8; int v9; int v10; int v11; int v12; int v13; int v14;\
    int v15; int v16; int v17; int v18; int v19; int v20; int v21; int v22;\
    int v23; int v24; int v25; int v26; int v27; int v28; int v29; int v30;\
    int v31; int v32; int v33; int v34; int v35; int v36; int v37; int v38;\
    int v39; int v40; int v41; int v42; int v43; int v44; int v45; int v46;\
    int v47; int v48; int v49; int v50; int v51; int v52; int v53; int v54;\
    int v55; int v56; int v57; int v58; int v59; int v60; int v61; int v62;\
    int v63 >> synthetic_events
     # echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm==bash' >> \
    events/sched/sched_waking/trigger
     # echo hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\
    pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
    pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
    pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
    pid,pid,pid,pid,pid,pid,pid,pid,pid) >> events/sched/sched_switch/trigger

    [2]
    BUG: unable to handle page fault for address: ffff91c900000000
    PGD 61001067 P4D 61001067 PUD 0
    Oops: 0000 [#1] PREEMPT SMP NOPTI
    CPU: 2 PID: 322 Comm: bash Tainted: G        W          6.1.0-rc8+ #229
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
    RIP: 0010:strcmp+0xc/0x30
    Code: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee
    c3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14
    07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3
    RSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246
    RAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000
    RDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000
    RBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000
    R10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580
    R13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538
    FS:  00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)
    knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0
    Call Trace:
     <TASK>
     __find_event_file+0x55/0x90
     action_create+0x76c/0x1060
     event_hist_trigger_parse+0x146d/0x2060
     ? event_trigger_write+0x31/0xd0
     trigger_process_regex+0xbb/0x110
     event_trigger_write+0x6b/0xd0
     vfs_write+0xc8/0x3e0
     ? alloc_fd+0xc0/0x160
     ? preempt_count_add+0x4d/0xa0
     ? preempt_count_add+0x70/0xa0
     ksys_write+0x5f/0xe0
     do_syscall_64+0x3b/0x90
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    RIP: 0033:0x7f1d1d0cf077
    Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e
    fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00
    f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74
    RSP: 002b:00007ffcebb0e568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
    RAX: ffffffffffffffda RBX: 0000000000000143 RCX: 00007f1d1d0cf077
    RDX: 0000000000000143 RSI: 00005639265aa7e0 RDI: 0000000000000001
    RBP: 00005639265aa7e0 R08: 000000000000000a R09: 0000000000000142
    R
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-010799
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e86267b4");
  # https://lore.kernel.org/linux-cve-announce/2025100700-CVE-2022-50553-8917@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e8f94a8c");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-50553");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-50553");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060e|20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060e / 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'sw_64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060e',
    'pkgs': [
      {'reference':'kernel-5.10.0-38', 'sp':'1060e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-38', 'sp':'1060e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-38', 'sp':'1060e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-38', 'sp':'1060e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-38', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-38', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-38', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-38', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Apr 2026 00:00Current
5.6Medium risk
Vulners AI Score5.6
CVSS 3.15.5
EPSS0.00187
7