Lucene search
K

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010890)

🗓️ 21 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Kernel security update fixes gntdev VMA splitting to prevent bad page maps and Xen paravirtualized faults.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(308787);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/22");

  script_cve_id("CVE-2022-50471");

  script_name(english:"Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010890)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-010890 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    xen/gntdev: Accommodate VMA splitting

    Prior to this commit, the gntdev driver code did not handle the
    following scenario correctly with paravirtualized (PV) Xen domains:

    * User process sets up a gntdev mapping composed of two grant mappings
      (i.e., two pages shared by another Xen domain).
    * User process munmap()s one of the pages.
    * User process munmap()s the remaining page.
    * User process exits.

    In the scenario above, the user process would cause the kernel to log
    the following messages in dmesg for the first munmap(), and the second
    munmap() call would result in similar log messages:

      BUG: Bad page map in process doublemap.test  pte:... pmd:...
      page:0000000057c97bff refcount:1 mapcount:-1 \
        mapping:0000000000000000 index:0x0 pfn:...
      ...
      page dumped because: bad pte
      ...
      file:gntdev fault:0x0 mmap:gntdev_mmap [xen_gntdev] readpage:0x0
      ...
      Call Trace:
       <TASK>
       dump_stack_lvl+0x46/0x5e
       print_bad_pte.cold+0x66/0xb6
       unmap_page_range+0x7e5/0xdc0
       unmap_vmas+0x78/0xf0
       unmap_region+0xa8/0x110
       __do_munmap+0x1ea/0x4e0
       __vm_munmap+0x75/0x120
       __x64_sys_munmap+0x28/0x40
       do_syscall_64+0x38/0x90
       entry_SYSCALL_64_after_hwframe+0x61/0xcb
       ...

    For each munmap() call, the Xen hypervisor (if built with CONFIG_DEBUG)
    would print out the following and trigger a general protection fault in
    the affected Xen PV domain:

      (XEN) d0v... Attempt to implicitly unmap d0's grant PTE ...
      (XEN) d0v... Attempt to implicitly unmap d0's grant PTE ...

    As of this writing, gntdev_grant_map structure's vma field (referred to
    as map->vma below) is mainly used for checking the start and end
    addresses of mappings. However, with split VMAs, these may change, and
    there could be more than one VMA associated with a gntdev mapping.
    Hence, remove the use of map->vma and rely on map->pages_vm_start for
    the original start address and on (map->count << PAGE_SHIFT) for the
    original mapping size. Let the invalidate() and find_special_page()
    hooks use these.

    Also, given that there can be multiple VMAs associated with a gntdev
    mapping, move the mmu_interval_notifier_remove(&map->notifier) call to
    the end of gntdev_put_map, so that the MMU notifier is only removed
    after the closing of the last remaining VMA.

    Finally, use an atomic to prevent inadvertent gntdev mapping re-use,
    instead of using the map->live_grants atomic counter and/or the map->vma
    pointer (the latter of which is now removed). This prevents the
    userspace from mmap()'ing (with MAP_FIXED) a gntdev mapping over the
    same address range as a previously set up gntdev mapping. This scenario
    can be summarized with the following call-trace, which was valid prior
    to this commit:

      mmap
        gntdev_mmap
      mmap (repeat mmap with MAP_FIXED over the same address range)
        gntdev_invalidate
          unmap_grant_pages (sets 'being_removed' entries to true)
            gnttab_unmap_refs_async
        unmap_single_vma
        gntdev_mmap (maps the shared pages again)
      munmap
        gntdev_invalidate
          unmap_grant_pages
            (no-op because 'being_removed' entries are true)
        unmap_single_vma (For PV domains, Xen reports that a granted page
          is being unmapped and triggers a general protection fault in the
          affected domain, if Xen was built with CONFIG_DEBUG)

    The fix for this last scenario could be worth its own commit, but we
    opted for a single commit, because removing the gntdev_grant_map
    structure's vma field requires guarding the entry to gntdev_mmap(), and
    the live_grants atomic counter is not sufficient on its own to prevent
    the mmap() over a pre-existing mapping.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-010890
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?24485595");
  # https://lore.kernel.org/linux-cve-announce/2025100436-CVE-2022-50471-a799@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f054e84c");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-50471");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-50471");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1050e|20.1060e|20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1050e / 20.1060e / 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'sw_64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1050e',
    'pkgs': [
      {'reference':'kernel-5.10.0-26', 'sp':'1050e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-26', 'sp':'1050e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-26', 'sp':'1050e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1060e',
    'pkgs': [
      {'reference':'kernel-5.10.0-26', 'sp':'1060e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-26', 'sp':'1060e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-26', 'sp':'1060e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-26', 'sp':'1060e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-26', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-26', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-26', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-26', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.15.5
EPSS0.00148
3