Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013210)

🗓️ 21 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Kernel security update fixes double-free in fs/jfs dbUnmount after failed jfs_remount.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(308056);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/21");

  script_cve_id("CVE-2023-54127");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013210)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-013210 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()

    Syzkaller reported the following issue:
    ==================================================================
    BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline]
    BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800
    Free of addr ffff888086408000 by task syz-executor.4/12750
    [...]
    Call Trace:
     <TASK>
    [...]
     kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482
     ____kasan_slab_free+0xfb/0x120
     kasan_slab_free include/linux/kasan.h:177 [inline]
     slab_free_hook mm/slub.c:1781 [inline]
     slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
     slab_free mm/slub.c:3787 [inline]
     __kmem_cache_free+0x71/0x110 mm/slub.c:3800
     dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264
     jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87
     jfs_put_super+0x86/0x190 fs/jfs/super.c:194
     generic_shutdown_super+0x130/0x310 fs/super.c:492
     kill_block_super+0x79/0xd0 fs/super.c:1386
     deactivate_locked_super+0xa7/0xf0 fs/super.c:332
     cleanup_mnt+0x494/0x520 fs/namespace.c:1291
     task_work_run+0x243/0x300 kernel/task_work.c:179
     resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
     exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
     exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
     __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
     syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
     do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    [...]
     </TASK>

    Allocated by task 13352:
     kasan_save_stack mm/kasan/common.c:45 [inline]
     kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
     ____kasan_kmalloc mm/kasan/common.c:371 [inline]
     __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380
     kmalloc include/linux/slab.h:580 [inline]
     dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164
     jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121
     jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556
     mount_bdev+0x26c/0x3a0 fs/super.c:1359
     legacy_get_tree+0xea/0x180 fs/fs_context.c:610
     vfs_get_tree+0x88/0x270 fs/super.c:1489
     do_new_mount+0x289/0xad0 fs/namespace.c:3145
     do_mount fs/namespace.c:3488 [inline]
     __do_sys_mount fs/namespace.c:3697 [inline]
     __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd

    Freed by task 13352:
     kasan_save_stack mm/kasan/common.c:45 [inline]
     kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
     kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
     ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
     kasan_slab_free include/linux/kasan.h:177 [inline]
     slab_free_hook mm/slub.c:1781 [inline]
     slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
     slab_free mm/slub.c:3787 [inline]
     __kmem_cache_free+0x71/0x110 mm/slub.c:3800
     dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264
     jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247
     jfs_remount+0x3db/0x710 fs/jfs/super.c:454
     reconfigure_super+0x3bc/0x7b0 fs/super.c:935
     vfs_fsconfig_locked fs/fsopen.c:254 [inline]
     __do_sys_fsconfig fs/fsopen.c:439 [inline]
     __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x63/0xcd
    [...]

    JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in
    dbUnmount().

    Syzkaller uses faultinject to reproduce this KASAN double-free
    warning. The issue is triggered if either diMount() or dbMount() fail
    in jfs_remount(), since diUnmount() or dbUnmount() already happened in
    such a case - they will do double-free on next execution: jfs_umount
    or jfs_remount.

    Tested on both upstream and jfs-next by syzkaller.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-013210
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a59d75c2");
  # https://lore.kernel.org/linux-cve-announce/2025122418-CVE-2023-54127-87e6@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5ae56d22");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2023-54127");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:N/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-54127");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'sw_64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-4.19.90-2409.6.0.0297.95', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2409.6.0.0297.95', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2409.6.0.0297.95', 'sp':'1070e', 'cpu':'sw_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-4.19.90-2409.6.0.0297.95', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Apr 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
EPSS0.0019
4