Lucene search
K

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-011063)

🗓️ 21 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Kernel update fixes libceph use-after-free in have_mon_and_osd_map race with monmap and osdmap.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(308603);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/22");

  script_cve_id("CVE-2025-68285");

  script_name(english:"Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-011063)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-011063 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    libceph: fix potential use-after-free in have_mon_and_osd_map()

    The wait loop in __ceph_open_session() can race with the client
    receiving a new monmap or osdmap shortly after the initial map is
    received.  Both ceph_monc_handle_map() and handle_one_map() install
    a new map immediately after freeing the old one

        kfree(monc->monmap);
        monc->monmap = monmap;

        ceph_osdmap_destroy(osdc->osdmap);
        osdc->osdmap = newmap;

    under client->monc.mutex and client->osdc.lock respectively, but
    because neither is taken in have_mon_and_osd_map() it's possible for
    client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in

        client->monc.monmap && client->monc.monmap->epoch &&
            client->osdc.osdmap && client->osdc.osdmap->epoch;

    condition to dereference an already freed map.  This happens to be
    reproducible with generic/395 and generic/397 with KASAN enabled:

        BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70
        Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305
        CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266
        ...
        Call Trace:
        <TASK>
        have_mon_and_osd_map+0x56/0x70
        ceph_open_session+0x182/0x290
        ceph_get_tree+0x333/0x680
        vfs_get_tree+0x49/0x180
        do_new_mount+0x1a3/0x2d0
        path_mount+0x6dd/0x730
        do_mount+0x99/0xe0
        __do_sys_mount+0x141/0x180
        do_syscall_64+0x9f/0x100
        entry_SYSCALL_64_after_hwframe+0x76/0x7e
        </TASK>

        Allocated by task 13305:
        ceph_osdmap_alloc+0x16/0x130
        ceph_osdc_init+0x27a/0x4c0
        ceph_create_client+0x153/0x190
        create_fs_client+0x50/0x2a0
        ceph_get_tree+0xff/0x680
        vfs_get_tree+0x49/0x180
        do_new_mount+0x1a3/0x2d0
        path_mount+0x6dd/0x730
        do_mount+0x99/0xe0
        __do_sys_mount+0x141/0x180
        do_syscall_64+0x9f/0x100
        entry_SYSCALL_64_after_hwframe+0x76/0x7e

        Freed by task 9475:
        kfree+0x212/0x290
        handle_one_map+0x23c/0x3b0
        ceph_osdc_handle_map+0x3c9/0x590
        mon_dispatch+0x655/0x6f0
        ceph_con_process_message+0xc3/0xe0
        ceph_con_v1_try_read+0x614/0x760
        ceph_con_workfn+0x2de/0x650
        process_one_work+0x486/0x7c0
        process_scheduled_works+0x73/0x90
        worker_thread+0x1c8/0x2a0
        kthread+0x2ec/0x300
        ret_from_fork+0x24/0x40
        ret_from_fork_asm+0x1a/0x30

    Rewrite the wait loop to check the above condition directly with
    client->monc.mutex and client->osdc.lock taken as appropriate.  While
    at it, improve the timeout handling (previously mount_timeout could be
    exceeded in case wait_event_interruptible_timeout() slept more than
    once) and access client->auth_err under client->monc.mutex to match
    how it's set in finish_auth().

    monmap_show() and osdmap_show() now take the respective lock before
    accessing the map as well.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-011063
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?89457d45");
  # https://lore.kernel.org/linux-cve-announce/2025121638-CVE-2025-68285-8339@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fa18016f");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2025-68285");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-68285");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/12/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1050e|20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1050e / 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1050e',
    'pkgs': [
      {'reference':'kernel-5.10.0-27.5', 'sp':'1050e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-27.5', 'sp':'1050e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-27.5', 'sp':'1050e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.10', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.10', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.10', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
EPSS0.00173
SSVC
2