Detections
Analytics

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-387086)

medium Nessus Plugin ID 267461

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-387086 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 mm: swap: fix race between free_swap_and_cache() and swapoff()

 There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map.

 This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below).

 Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache().

 Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this):

 --8<-----

 __swap_entry_free() might be the last user and result in count == SWAP_HAS_CACHE.

 swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.

 So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped().

 Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries.

 Process 1 still references subpage 0 via swap entry.
 Process 2 still references subpage 1 via swap entry.

 Process 1 quits. Calls free_swap_and_cache().
 -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.]

 Process 2 quits. Calls free_swap_and_cache().
 -> count == SWAP_HAS_CACHE

 Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls
 __try_to_reclaim_swap().

 __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ...
 WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);

 What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()?

 --8<-----

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?0949e5d3

http://www.nessus.org/u?10e03cb9

https://nvd.nist.gov/vuln/detail/CVE-2024-26960

Plugin Details

Severity: Medium

ID: 267461

File Name: unity_linux_UTSA-2025-387086.nasl

Version: 1.2

Type: local

Published: 10/7/2025

Updated: 10/15/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2024-26960

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/UOS-Server/release, Host/UOS-Server/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/8/2025

Vulnerability Publication Date: 4/9/2024

Reference Information

CVE: CVE-2024-26960