Lucene search
K

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-010941)

🗓️ 21 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 8 Views

Unity Linux 20 kernel security update fixes Bluetooth SCO use-after-free vulnerability.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(308747);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/22");

  script_cve_id("CVE-2025-40309");

  script_name(english:"Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-010941)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-010941 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    Bluetooth: SCO: Fix UAF on sco_conn_free

    BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]
    BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]
    BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410
    net/bluetooth/sco.c:107
    Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352

    CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted
    6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
    Workqueue: hci13 hci_cmd_sync_work
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:94 [inline]
     dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120
     print_address_description mm/kasan/report.c:378 [inline]
     print_report+0x191/0x550 mm/kasan/report.c:482
     kasan_report+0xc4/0x100 mm/kasan/report.c:595
     sco_conn_free net/bluetooth/sco.c:87 [inline]
     kref_put include/linux/kref.h:65 [inline]
     sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107
     sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441
     hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]
     hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313
     hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121
     hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147
     hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689
     hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332
     process_one_work kernel/workqueue.c:3236 [inline]
     process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319
     worker_thread+0xbee/0x1200 kernel/workqueue.c:3400
     kthread+0x3c7/0x870 kernel/kthread.c:463
     ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148
     ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
     </TASK>

    Allocated by task 31370:
     kasan_save_stack mm/kasan/common.c:47 [inline]
     kasan_save_track+0x30/0x70 mm/kasan/common.c:68
     poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
     __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405
     kasan_kmalloc include/linux/kasan.h:260 [inline]
     __do_kmalloc_node mm/slub.c:4382 [inline]
     __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394
     kmalloc_noprof include/linux/slab.h:909 [inline]
     sk_prot_alloc+0xae/0x220 net/core/sock.c:2239
     sk_alloc+0x34/0x5a0 net/core/sock.c:2295
     bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151
     sco_sock_alloc net/bluetooth/sco.c:562 [inline]
     sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593
     bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135
     __sock_create+0x3ad/0x780 net/socket.c:1589
     sock_create net/socket.c:1647 [inline]
     __sys_socket_create net/socket.c:1684 [inline]
     __sys_socket+0xd5/0x330 net/socket.c:1731
     __do_sys_socket net/socket.c:1745 [inline]
     __se_sys_socket net/socket.c:1743 [inline]
     __x64_sys_socket+0x7a/0x90 net/socket.c:1743
     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
     do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94
     entry_SYSCALL_64_after_hwframe+0x77/0x7f

    Freed by task 31374:
     kasan_save_stack mm/kasan/common.c:47 [inline]
     kasan_save_track+0x30/0x70 mm/kasan/common.c:68
     kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
     poison_slab_object mm/kasan/common.c:243 [inline]
     __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275
     kasan_slab_free include/linux/kasan.h:233 [inline]
     slab_free_hook mm/slub.c:2428 [inline]
     slab_free mm/slub.c:4701 [inline]
     kfree+0x199/0x3b0 mm/slub.c:4900
     sk_prot_free net/core/sock.c:2278 [inline]
     __sk_destruct+0x4aa/0x630 net/core/sock.c:2373
     sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333
     __sock_release net/socket.c:649 [inline]
     sock_close+0xb8/0x230 net/socket.c:1439
     __fput+0x3d1/0x9e0 fs/file_table.c:468
     task_work_run+0x206/0x2a0 kernel/task_work.c:227
     get_signal+0x1201/0x1410 kernel/signal.c:2807
     arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337
     exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40
     exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
     s
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-010941
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9f825765");
  # https://lore.kernel.org/linux-cve-announce/2025120821-CVE-2025-40309-8e98@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?47ad5776");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2025-40309");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-40309");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/12/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1050e|20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1050e / 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1050e',
    'pkgs': [
      {'reference':'kernel-5.10.0-27.5', 'sp':'1050e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-27.5', 'sp':'1050e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-27.5', 'sp':'1050e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.10', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.10', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.10', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Apr 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
EPSS0.00145
8