Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013733)

🗓️ 22 Apr 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Unity Linux 20.1070a fixes kernel hfs_bnode_get in __hfs_bnode_create and hfs_bnode_put bug.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(309412);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/22");

  script_cve_id("CVE-2023-53862");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013733)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2026-013733 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    hfs: fix missing hfs_bnode_get() in __hfs_bnode_create

    Syzbot found a kernel BUG in hfs_bnode_put():

     kernel BUG at fs/hfs/bnode.c:466!
     invalid opcode: 0000 [#1] PREEMPT SMP KASAN
     CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0
     Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
     Workqueue: writeback wb_workfn (flush-7:0)
     RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466
     Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9
    93 fe ff ff e8 a1 68 2c ff <0f> 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56
     RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293
     RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0
     RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
     RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1
     R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80
     R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00
     FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0
     DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
     DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
     Call Trace:
      <TASK>
      hfs_write_inode+0x1bc/0xb40
      write_inode fs/fs-writeback.c:1440 [inline]
      __writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652
      writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878
      __writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949
      wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054
      wb_check_start_all fs/fs-writeback.c:2176 [inline]
      wb_do_writeback fs/fs-writeback.c:2202 [inline]
      wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235
      process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
      worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
      kthread+0x266/0x300 kernel/kthread.c:376
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
      </TASK>

    The BUG_ON() is triggered at here:

    /* Dispose of resources used by a node */
    void hfs_bnode_put(struct hfs_bnode *node)
    {
            if (node) {
                    <skipped>
                    BUG_ON(!atomic_read(&node->refcnt)); <- we have issue here!!!!
                    <skipped>
            }
    }

    By tracing the refcnt, I found the node is created by hfs_bmap_alloc()
    with refcnt 1.  Then the node is used by hfs_btree_write().  There is a
    missing of hfs_bnode_get() after find the node.  The issue happened in
    following path:

    <alloc>
     hfs_bmap_alloc
       hfs_bnode_find
         __hfs_bnode_create   <- allocate a new node with refcnt 1.
       hfs_bnode_put          <- decrease the refcnt

    <write>
     hfs_btree_write
       hfs_bnode_find
         __hfs_bnode_create
           hfs_bnode_findhash <- find the node without refcnt increased.
       hfs_bnode_put          <- trigger the BUG_ON() since refcnt is 0.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2026-013733
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0853886d");
  # https://lore.kernel.org/linux-cve-announce/2025120905-CVE-2023-53862-81d5@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ac5d7f83");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2023-53862");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-53862");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-38', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-38', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-38', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-38', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Apr 2026 00:00Current
5.6Medium risk
Vulners AI Score5.6
EPSS0.00201
4