Detections
Analytics

Unity Linux 20.1050e Security Update: kernel (UTSA-2025-991137)

high Nessus Plugin ID 278191

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-991137 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput

 During unmount process of nilfs2, nothing holds nilfs_root structure after nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously, nilfs_evict_inode() could cause use-after-free read for nilfs_root if inodes are left in garbage_list and released by nilfs_dispose_list at the end of nilfs_detach_log_writer(), and this bug was fixed by commit 9b5a04ac3ad9 (nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()).

 However, it turned out that there is another possibility of UAF in the call path where mark_inode_dirty_sync() is called from iput():

 nilfs_detach_log_writer() nilfs_dispose_list() iput() mark_inode_dirty_sync()
 __mark_inode_dirty() nilfs_dirty_inode()
 __nilfs_mark_inode_dirty() nilfs_load_inode_block() --> causes UAF of nilfs_root struct

 This can happen after commit 0ae45f63d4ef (vfs: add support for a lazytime mount option), which changed iput() to call mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME flag and i_nlink is non-zero.

 This issue appears after commit 28a65b49eb53 (nilfs2: do not write dirty data after degenerating to read-only) when using the syzbot reproducer, but the issue has potentially existed before.

 Fix this issue by adding a purging flag to the nilfs structure, setting that flag while disposing the garbage_list and checking it in
 __nilfs_mark_inode_dirty().

 Unlike commit 9b5a04ac3ad9 (nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()), this patch does not rely on ns_writer to determine whether to skip operations, so as not to break recovery on mount. The nilfs_salvage_orphan_logs routine dirties the buffer of salvaged data before attaching the log writer, so changing
 __nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL will cause recovery write to fail. The purpose of using the cleanup-only flag is to allow for narrowing of such conditions.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?4232b160

http://www.nessus.org/u?5b1fc390

https://nvd.nist.gov/vuln/detail/CVE-2023-53311

Plugin Details

Severity: High

ID: 278191

File Name: unity_linux_UTSA-2025-991137.nasl

Version: 1.1

Type: local

Published: 12/11/2025

Updated: 12/11/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-53311

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/UOS-Server/release, Host/UOS-Server/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/11/2025

Vulnerability Publication Date: 9/4/2021

Reference Information

CVE: CVE-2023-53311