Lucene search
K

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013603)

🗓️ 22 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Linux kernel security update fixes use-after-free in mlx5 async command interface via completion.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(309312);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/26");

  script_cve_id("CVE-2022-50726");

  script_name(english:"Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013603)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-013603 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    net/mlx5: Fix possible use-after-free in async command interface

    mlx5_cmd_cleanup_async_ctx should return only after all its callback
    handlers were completed. Before this patch, the below race between
    mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and
    lead to a use-after-free:

    1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e.
       elevated by 1, a single inflight callback).
    2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.
    3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and
       is about to call wake_up().
    4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns
       immediately as the condition (num_inflight == 0) holds.
    5. mlx5_cmd_cleanup_async_ctx returns.
    6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx
       object.
    7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed
       object.

    Fix it by syncing using a completion object. Mark it completed when
    num_inflight reaches 0.

    Trace:

    BUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270
    Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0

    CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org
    04/01/2014
    Call Trace:
     <IRQ>
     dump_stack_lvl+0x57/0x7d
     print_report.cold+0x2d5/0x684
     ? do_raw_spin_lock+0x23d/0x270
     kasan_report+0xb1/0x1a0
     ? do_raw_spin_lock+0x23d/0x270
     do_raw_spin_lock+0x23d/0x270
     ? rwlock_bug.part.0+0x90/0x90
     ? __delete_object+0xb8/0x100
     ? lock_downgrade+0x6e0/0x6e0
     _raw_spin_lock_irqsave+0x43/0x60
     ? __wake_up_common_lock+0xb9/0x140
     __wake_up_common_lock+0xb9/0x140
     ? __wake_up_common+0x650/0x650
     ? destroy_tis_callback+0x53/0x70 [mlx5_core]
     ? kasan_set_track+0x21/0x30
     ? destroy_tis_callback+0x53/0x70 [mlx5_core]
     ? kfree+0x1ba/0x520
     ? do_raw_spin_unlock+0x54/0x220
     mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core]
     ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]
     ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]
     mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core]
     ? dump_command+0xcc0/0xcc0 [mlx5_core]
     ? lockdep_hardirqs_on_prepare+0x400/0x400
     ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core]
     cmd_comp_notifier+0x7e/0xb0 [mlx5_core]
     atomic_notifier_call_chain+0xd7/0x1d0
     mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core]
     atomic_notifier_call_chain+0xd7/0x1d0
     ? irq_release+0x140/0x140 [mlx5_core]
     irq_int_handler+0x19/0x30 [mlx5_core]
     __handle_irq_event_percpu+0x1f2/0x620
     handle_irq_event+0xb2/0x1d0
     handle_edge_irq+0x21e/0xb00
     __common_interrupt+0x79/0x1a0
     common_interrupt+0x78/0xa0
     </IRQ>
     <TASK>
     asm_common_interrupt+0x22/0x40
    RIP: 0010:default_idle+0x42/0x60
    Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07
    0f 00 2d e0 9f 48 00 fb f4 <c3> 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00
    RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242
    RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110
    RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc
    RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3
    R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005
    R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000
     ? default_idle_call+0xcc/0x450
     default_idle_call+0xec/0x450
     do_idle+0x394/0x450
     ? arch_cpu_idle_exit+0x40/0x40
     ? do_idle+0x17/0x450
     cpu_startup_entry+0x19/0x20
     start_secondary+0x221/0x2b0
     ? set_cpu_sibling_map+0x2070/0x2070
     secondary_startup_64_no_verify+0xcd/0xdb
     </TASK>

    Allocated by task 49502:
     kasan_save_stack+0x1e/0x40
     __kasan_kmalloc+0x81/0xa0
     kvmalloc_node+0x48/0xe0
     mlx5e_bulk_async_init+0x35/0x110 [mlx5_core]
     mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core]
     mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core]
     mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core]
     mlx5e_detach_netdev+0x1c
    ---truncated---

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-013603
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?52bc4222");
  # https://lore.kernel.org/linux-cve-announce/2025122418-CVE-2022-50726-2f42@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7c525bb7");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-50726");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-50726");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1060a|20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1060a / 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1060a',
    'pkgs': [
      {'reference':'kernel-5.10.0-28', 'sp':'1060a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1060a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  },
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-28', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-28', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

26 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
EPSS0.002
4