Lucene search
K

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010948)

🗓️ 21 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Linux kernel IPv6 tunnel MTU sanitization fixes underflow risk in tunnels.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(308399);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/21");

  script_cve_id("CVE-2022-50816");

  script_name(english:"Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010948)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-010948 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ipv6: ensure sane device mtu in tunnels

    Another syzbot report [1] with no reproducer hints
    at a bug in ip6_gre tunnel (dev:ip6gretap0)

    Since ipv6 mcast code makes sure to read dev->mtu once
    and applies a sanity check on it (see commit b9b312a7a451
    ipv6: mcast: better catch silly mtu values), a remaining
    possibility is that a layer is able to set dev->mtu to
    an underflowed value (high order bit set).

    This could happen indeed in ip6gre_tnl_link_config_route(),
    ip6_tnl_link_config() and ipip6_tunnel_bind_dev()

    Make sure to sanitize mtu value in a local variable before
    it is written once on dev->mtu, as lockless readers could
    catch wrong temporary value.

    [1]
    skbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0
    tail:0xd8 end:0xc0 dev:ip6gretap0
    ------------[ cut here ]------------
    kernel BUG at net/core/skbuff.c:120
    Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
    Modules linked in:
    CPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
    Workqueue: mld mld_ifc_work
    pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    pc : skb_panic+0x4c/0x50 net/core/skbuff.c:116
    lr : skb_panic+0x4c/0x50 net/core/skbuff.c:116
    sp : ffff800020dd3b60
    x29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800
    x26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200
    x23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38
    x20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9
    x17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80
    x14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80
    x11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00
    x8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000
    x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
    x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089
    Call trace:
    skb_panic+0x4c/0x50 net/core/skbuff.c:116
    skb_over_panic net/core/skbuff.c:125 [inline]
    skb_put+0xd4/0xdc net/core/skbuff.c:2049
    ip6_mc_hdr net/ipv6/mcast.c:1714 [inline]
    mld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765
    add_grhead net/ipv6/mcast.c:1851 [inline]
    add_grec+0xa20/0xae0 net/ipv6/mcast.c:1989
    mld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115
    mld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653
    process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
    worker_thread+0x340/0x610 kernel/workqueue.c:2436
    kthread+0x12c/0x158 kernel/kthread.c:376
    ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
    Code: 91011400 aa0803e1 a90027ea 94373093 (d4210000)

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-010948
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4c0ca0c3");
  # https://lore.kernel.org/linux-cve-announce/2025123014-CVE-2022-50816-3fda@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0eb94432");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-50816");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:M/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-50816");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060e|20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060e / 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'sw_64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060e',
    'pkgs': [
      {'reference':'kernel-5.10.0-28', 'sp':'1060e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1060e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1060e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1060e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-28', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Apr 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
EPSS0.00211
4