The version of Tencent Linux installed on the remote TencentOS Server 2 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0144 advisory.

    Package updates are available for TencentOS Server 2 that fix the following vulnerabilities:

    CVE-2021-46972:
    In the Linux kernel, the following vulnerability has been resolved:

    ovl: fix leaked dentry

    Since commit 6815f479ca90 (ovl: use only uppermetacopy state in     ovl_lookup()), overlayfs doesn't put temporary dentry when there is a     metacopy error, which leads to dentry leaks when shutting down the related     superblock:

    overlayfs: refusing to follow metacopy origin for (/file0)     ...
    BUG: Dentry (____ptrval____){i=3f33,n=file3}  still in use (1) [unmount of overlay overlay]     ...
    WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d     CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1     ...
    RIP: 0010:umount_check.cold+0x107/0x14d     ...
    Call Trace:
     d_walk+0x28c/0x950      ? dentry_lru_isolate+0x2b0/0x2b0      ? __kasan_slab_free+0x12/0x20      do_one_tree+0x33/0x60      shrink_dcache_for_umount+0x78/0x1d0      generic_shutdown_super+0x70/0x440      kill_anon_super+0x3e/0x70      deactivate_locked_super+0xc4/0x160      deactivate_super+0xfa/0x140      cleanup_mnt+0x22e/0x370
     __cleanup_mnt+0x1a/0x30      task_work_run+0x139/0x210      do_exit+0xb0c/0x2820      ? __kasan_check_read+0x1d/0x30      ? find_held_lock+0x35/0x160      ? lock_release+0x1b6/0x660      ? mm_update_next_owner+0xa20/0xa20      ? reacquire_held_locks+0x3f0/0x3f0      ? __sanitizer_cov_trace_const_cmp4+0x22/0x30      do_group_exit+0x135/0x380
     __do_sys_exit_group.isra.0+0x20/0x20
     __x64_sys_exit_group+0x3c/0x50      do_syscall_64+0x45/0x70      entry_SYSCALL_64_after_hwframe+0x44/0xae     ...
    VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds.  Have a nice day...

    This fix has been tested with a syzkaller reproducer.

    CVE-2021-3739:
    A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the     Linux Kernel, where triggering the bug requires CAP_SYS_ADMIN. This flaw allows a local attacker to     crash the system or leak kernel internal information. The highest threat from this vulnerability is to     system availability.

    CVE-2021-4083:
    A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket     file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race     condition. This flaw allows a local user to crash the system or escalate their privileges on the system.
    This flaw affects Linux kernel versions prior to 5.16-rc4.

    CVE-2023-1611:
    A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This     flaw allows an attacker to crash the system and possibly cause a kernel information lea

    CVE-2022-0480:
    A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel. This issue can lead to     host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX)     file locks.

    CVE-2022-3606:
    A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the     function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation     leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier     VDB-211749 was assigned to this vulnerability.

    CVE-2023-52583:
    In the Linux kernel, the following vulnerability has been resolved:

    ceph: fix deadlock or deadcode of misusing dget()

    The lock order is incorrect between denty and its parent, we should     always make sure that the parent get the lock first.

    But since this deadcode is never used and the parent dir will always     be set from the callers, let's just remove it.

    CVE-2023-52590:
    In the Linux kernel, the following vulnerability has been resolved:

    ocfs2: Avoid touching renamed directory if parent does not change

    The VFS will not be locking moved directory if its parent does not     change. Change ocfs2 rename code to avoid touching renamed directory if     its parent does not change as without locking that can corrupt the     filesystem.

    CVE-2023-52591:
    In the Linux kernel, the following vulnerability has been resolved:

    reiserfs: Avoid touching renamed directory if parent does not change

    The VFS will not be locking moved directory if its parent does not     change. Change reiserfs rename code to avoid touching renamed directory     if its parent does not change as without locking that can corrupt the     filesystem.

    CVE-2023-52599:
    In the Linux kernel, the following vulnerability has been resolved:

    jfs: fix array-index-out-of-bounds in diNewExt

    [Syz report]     UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2     index -878706688 is out of range for type 'struct iagctl[128]'     CPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0     Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023     Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]      dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106      ubsan_epilogue lib/ubsan.c:217 [inline]
     __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348      diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360      diAllocExt fs/jfs/jfs_imap.c:1949 [inline]      diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666      diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587      ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56      jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225      vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106      do_mkdirat+0x264/0x3a0 fs/namei.c:4129
     __do_sys_mkdir fs/namei.c:4149 [inline]
     __se_sys_mkdir fs/namei.c:4147 [inline]
     __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147      do_syscall_x64 arch/x86/entry/common.c:51 [inline]      do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82      entry_SYSCALL_64_after_hwframe+0x63/0x6b     RIP: 0033:0x7fcb7e6a0b57     Code: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44     00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48     RSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053     RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57     RDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140     RBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000     R10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0     R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

    [Analysis]     When the agstart is too large, it can cause agno overflow.

    [Fix]     After obtaining agno, if the value is invalid, exit the subsequent process.


    Modified the test from agno > MAXAG to agno >= MAXAG based on linux-next     report by kernel test robot (Dan Carpenter).

    CVE-2023-52600:
    In the Linux kernel, the following vulnerability has been resolved:

    jfs: fix uaf in jfs_evict_inode

    When the execution of diMount(ipimap) fails, the object ipimap that has been     released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs     when rcu_core() calls jfs_free_node().

    Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as     ipimap.

    CVE-2024-1086:
    A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to     achieve local privilege escalation.

    The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence     the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error     which resembles NF_ACCEPT.

    We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

    CVE-2023-6121:
    An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This flaw     allows a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that     results in kmalloc data to be printed (and potentially leaked) to the kernel ring buffer (dmesg).

    CVE-2023-6931:
    A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be     exploited to achieve local privilege escalation.

    A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in     perf_read_group().

    We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.



    CVE-2022-45886:
    An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a     .disconnect versus dvb_device_open race condition that leads to a use-after-free.

    CVE-2022-45919:
    An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a     use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.

    CVE-2022-20423:
    In rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This     could lead to local escalation of privilege if a malicious USB device is attached with no additional     execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:
    Android kernelAndroid ID: A-239842288References: Upstream kernel

    CVE-2023-6606:
    An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux     Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.

    CVE-2023-6610:
    An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux     Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.

    CVE-2024-0565:
    An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in     the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy     length, leading to a denial of service.

    CVE-2023-26607:
    In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.

    CVE-2022-42328:
    Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs;
    the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced     another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the     XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock     could occur in case of netpoll being active for the interface the xen-netback driver is connected to     (CVE-2022-42329).

    CVE-2022-42329:
    Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs;
    the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced     another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the     XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock     could occur in case of netpoll being active for the interface the xen-netback driver is connected to     (CVE-2022-42329).

    CVE-2023-42754:
    A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was     assumed to be associated with a device before calling __ip_options_compile, which is not always the case     if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash     the system.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

TencentOS Server 2: kernel (TSSA-2024:0144)

high Nessus Plugin ID 239077

Version 1.3

Version 1.2

Version 1.1

Version 1.3 Nov 23, 2025, 9:24 PM CISA reference Exploit attributes ("Exploited by malware" set to "True") Plugin Feed: 202511232124
Version 1.2 Nov 21, 2025, 2:12 PM CVE (set "CVE" coverage to "CVE-2021-3739,CVE-2021-4083,CVE-2021-46972,CVE-2022-0480,CVE-2022-20423,CVE-2022-3606,CVE-2022-42328,CVE-2022-42329,CVE-2022-45886,CVE-2022-45919,CVE-2023-1611,CVE-2023-26607,CVE-2023-42754,CVE-2023-52583,CVE-2023-52590,CVE-2023-52591,CVE-2023-52599,CVE-2023-52600,CVE-2023-6121,CVE-2023-6606,CVE-2023-6610,CVE-2023-6931,CVE-2024-0565,CVE-2024-1086") CVSS metrics ("CVSSv2 score" set to 6.9) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C") CVSS metrics ("CVSSv3 score" set to 7.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C") CVSSv2 score source (set to "CVE-2021-4083") CVSSv2 severity (based on CVE-2021-4083, severity decreased from "High" to "Medium") CVSSv3 score source (set to "CVE-2024-1086") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin metadata Plugin Feed: 202511211412
Version 1.1 Jun 17, 2025, 2:02 AM New Plugin Feed: 202506170202