Detections
Analytics

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-992393)

medium Nessus Plugin ID 280351

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-992393 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 nilfs2: fix sysfs interface lifetime

 The current nilfs2 sysfs support has issues with the timing of creation and deletion of sysfs entries, potentially leading to null pointer dereferences, use-after-free, and lockdep warnings.

 Some of the sysfs attributes for nilfs2 per-filesystem instance refer to metadata file cpfile, sufile, or dat, but nilfs_sysfs_create_device_group that creates those attributes is executed before the inodes for these metadata files are loaded, and nilfs_sysfs_delete_device_group which deletes these sysfs entries is called after releasing their metadata file inodes.

 Therefore, access to some of these sysfs attributes may occur outside of the lifetime of these metadata files, resulting in inode NULL pointer dereferences or use-after-free.

 In addition, the call to nilfs_sysfs_create_device_group() is made during the locking period of the semaphore ns_sem of nilfs object, so the shrinker call caused by the memory allocation for the sysfs entries, may derive lock dependencies ns_sem -> (shrinker) -> locks acquired in nilfs_evict_inode().

 Since nilfs2 may acquire ns_sem deep in the call stack holding other locks via its error handler __nilfs_error(), this causes lockdep to report circular locking. This is a false positive and no circular locking actually occurs as no inodes exist yet when nilfs_sysfs_create_device_group() is called. Fortunately, the lockdep warnings can be resolved by simply moving the call to nilfs_sysfs_create_device_group() out of ns_sem.

 This fixes these sysfs issues by revising where the device's sysfs interface is created/deleted and keeping its lifetime within the lifetime of the metadata files above.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?10227b39

http://www.nessus.org/u?0c1429c1

https://nvd.nist.gov/vuln/detail/CVE-2023-53440

Plugin Details

Severity: Medium

ID: 280351

File Name: unity_linux_UTSA-2025-992393.nasl

Version: 1.1

Type: local

Published: 12/30/2025

Updated: 12/30/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2023-53440

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/UOS-Server/release, Host/UOS-Server/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 12/30/2025

Vulnerability Publication Date: 9/4/2021

Reference Information

CVE: CVE-2023-53440