Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013104)

🗓️ 21 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Unity Linux 20 kernel fix for a uninitialized value issue in hfs_find_set_zero_bits.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(307861);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/21");

  script_cve_id("CVE-2025-40243");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013104)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-013104 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()

    The syzbot reported issue in hfs_find_set_zero_bits():

    =====================================================
    BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
     hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45
     hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151
     hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408
     hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353
     __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151
     block_write_begin fs/buffer.c:2262 [inline]
     cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601
     hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
     cont_expand_zero fs/buffer.c:2528 [inline]
     cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591
     hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52
     hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494
     hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654
     notify_change+0x1993/0x1aa0 fs/attr.c:552
     do_truncate+0x28f/0x310 fs/open.c:68
     do_ftruncate+0x698/0x730 fs/open.c:195
     do_sys_ftruncate fs/open.c:210 [inline]
     __do_sys_ftruncate fs/open.c:215 [inline]
     __se_sys_ftruncate fs/open.c:213 [inline]
     __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213
     x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78
     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
     do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
     entry_SYSCALL_64_after_hwframe+0x77/0x7f

    Uninit was created at:
     slab_post_alloc_hook mm/slub.c:4154 [inline]
     slab_alloc_node mm/slub.c:4197 [inline]
     __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354
     kmalloc_noprof include/linux/slab.h:905 [inline]
     hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175
     hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337
     get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681
     get_tree_bdev+0x38/0x50 fs/super.c:1704
     hfs_get_tree+0x35/0x40 fs/hfs/super.c:388
     vfs_get_tree+0xb0/0x5c0 fs/super.c:1804
     do_new_mount+0x738/0x1610 fs/namespace.c:3902
     path_mount+0x6db/0x1e90 fs/namespace.c:4226
     do_mount fs/namespace.c:4239 [inline]
     __do_sys_mount fs/namespace.c:4450 [inline]
     __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427
     __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427
     x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166
     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
     do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
     entry_SYSCALL_64_after_hwframe+0x77/0x7f

    CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none)
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
    =====================================================

    The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get():

    HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL);

    Finally, it can trigger the reported issue because kmalloc()
    doesn't clear the allocated memory. If allocated memory contains
    only zeros, then everything will work pretty fine.
    But if the allocated memory contains the garbage, then
    it can affect the bitmap operations and it triggers
    the reported issue.

    This patch simply exchanges the kmalloc() on kzalloc()
    with the goal to guarantee the correctness of bitmap operations.
    Because, newly created allocation bitmap should have all
    available blocks free. Potentially, initialization bitmap's read
    operation could not fill the whole allocated memory and
    garbage in the not initialized memory will be the reason of
    volume coruptions and file system driver bugs.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-013104
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?66f247fb");
  # https://lore.kernel.org/linux-cve-announce/2025120404-CVE-2025-40243-8cca@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0d4334c3");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2025-40243");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-40243");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.10', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.10', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.10', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
EPSS0.00184
4