Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013453)

🗓️ 22 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 13 Views

Kernel patch cancels blk-mq dispatch work in both cleanup and disk release to prevent oops.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(309561);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/22");

  script_cve_id("CVE-2021-47552");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013453)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-013453 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    blk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release()

    For avoiding to slow down queue destroy, we don't call
    blk_mq_quiesce_queue() in blk_cleanup_queue(), instead of delaying to
    cancel dispatch work in blk_release_queue().

    However, this way has caused kernel oops[1], reported by Changhui. The log
    shows that scsi_device can be freed before running blk_release_queue(),
    which is expected too since scsi_device is released after the scsi disk
    is closed and the scsi_device is removed.

    Fixes the issue by canceling blk-mq dispatch work in both blk_cleanup_queue()
    and disk_release():

    1) when disk_release() is run, the disk has been closed, and any sync
    dispatch activities have been done, so canceling dispatch work is enough to
    quiesce filesystem I/O dispatch activity.

    2) in blk_cleanup_queue(), we only focus on passthrough request, and
    passthrough request is always explicitly allocated & freed by
    its caller, so once queue is frozen, all sync dispatch activity
    for passthrough request has been done, then it is enough to just cancel
    dispatch work for avoiding any dispatch activity.

    [1] kernel panic log
    [12622.769416] BUG: kernel NULL pointer dereference, address: 0000000000000300
    [12622.777186] #PF: supervisor read access in kernel mode
    [12622.782918] #PF: error_code(0x0000) - not-present page
    [12622.788649] PGD 0 P4D 0
    [12622.791474] Oops: 0000 [#1] PREEMPT SMP PTI
    [12622.796138] CPU: 10 PID: 744 Comm: kworker/10:1H Kdump: loaded Not tainted 5.15.0+ #1
    [12622.804877] Hardware name: Dell Inc. PowerEdge R730/0H21J3, BIOS 1.5.4 10/002/2015
    [12622.813321] Workqueue: kblockd blk_mq_run_work_fn
    [12622.818572] RIP: 0010:sbitmap_get+0x75/0x190
    [12622.823336] Code: 85 80 00 00 00 41 8b 57 08 85 d2 0f 84 b1 00 00 00 45 31 e4 48 63 cd 48 8d 1c 49 48
    c1 e3 06 49 03 5f 10 4c 8d 6b 40 83 f0 01 <48> 8b 33 44 89 f2 4c 89 ef 0f b6 c8 e8 fa f3 ff ff 83 f8 ff 75
    58
    [12622.844290] RSP: 0018:ffffb00a446dbd40 EFLAGS: 00010202
    [12622.850120] RAX: 0000000000000001 RBX: 0000000000000300 RCX: 0000000000000004
    [12622.858082] RDX: 0000000000000006 RSI: 0000000000000082 RDI: ffffa0b7a2dfe030
    [12622.866042] RBP: 0000000000000004 R08: 0000000000000001 R09: ffffa0b742721334
    [12622.874003] R10: 0000000000000008 R11: 0000000000000008 R12: 0000000000000000
    [12622.881964] R13: 0000000000000340 R14: 0000000000000000 R15: ffffa0b7a2dfe030
    [12622.889926] FS:  0000000000000000(0000) GS:ffffa0baafb40000(0000) knlGS:0000000000000000
    [12622.898956] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [12622.905367] CR2: 0000000000000300 CR3: 0000000641210001 CR4: 00000000001706e0
    [12622.913328] Call Trace:
    [12622.916055]  <TASK>
    [12622.918394]  scsi_mq_get_budget+0x1a/0x110
    [12622.922969]  __blk_mq_do_dispatch_sched+0x1d4/0x320
    [12622.928404]  ? pick_next_task_fair+0x39/0x390
    [12622.933268]  __blk_mq_sched_dispatch_requests+0xf4/0x140
    [12622.939194]  blk_mq_sched_dispatch_requests+0x30/0x60
    [12622.944829]  __blk_mq_run_hw_queue+0x30/0xa0
    [12622.949593]  process_one_work+0x1e8/0x3c0
    [12622.954059]  worker_thread+0x50/0x3b0
    [12622.958144]  ? rescuer_thread+0x370/0x370
    [12622.962616]  kthread+0x158/0x180
    [12622.966218]  ? set_kthread_struct+0x40/0x40
    [12622.970884]  ret_from_fork+0x22/0x30
    [12622.974875]  </TASK>
    [12622.977309] Modules linked in: scsi_debug rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd
    grace fscache netfs sunrpc dm_multipath intel_rapl_msr intel_rapl_common dell_wmi_descriptor sb_edac
    rfkill video x86_pkg_temp_thermal intel_powerclamp dcdbas coretemp kvm_intel kvm mgag200 irqbypass
    i2c_algo_bit rapl drm_kms_helper ipmi_ssif intel_cstate intel_uncore syscopyarea sysfillrect sysimgblt
    fb_sys_fops pcspkr cec mei_me lpc_ich mei ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter drm fuse
    xfs libcrc32c sr_mod cdrom sd_mod t10_pi sg ixgbe ahci libahci crct10dif_pclmul crc32_pclmul crc32c_intel
    libata megaraid_sas ghash_clmulni_intel tg3 wdat_w
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-013453
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2c2ef17f");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2021-47552");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-47552");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/05/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-48', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-48', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-48', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-48', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Apr 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 3.15.5
EPSS0.00199
SSVC
13