Detections
Analytics

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2025-993278)

medium Nessus Plugin ID 281322

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-993278 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 tracing: Have trace_event_file have ref counters

 The following can crash the kernel:

 # cd /sys/kernel/tracing # echo 'p:sched schedule' > kprobe_events # exec 5>>events/kprobes/sched/enable # > kprobe_events # exec 5>&-

 The above commands:

 1. Change directory to the tracefs directory 2. Create a kprobe event (doesn't matter what one) 3. Open bash file descriptor 5 on the enable file of the kprobe event 4. Delete the kprobe event (removes the files too) 5. Close the bash file descriptor 5

 The above causes a crash!

 BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 877 Comm: bash Not tainted 6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:tracing_release_file_tr+0xc/0x50

 What happens here is that the kprobe event creates a trace_event_file file descriptor that represents the file in tracefs to the event. It maintains state of the event (is it enabled for the given instance?).
 Opening the enable file gets a reference to the event file descriptor via the open file descriptor. When the kprobe event is deleted, the file is also deleted from the tracefs system which also frees the event file descriptor.

 But as the tracefs file is still opened by user space, it will not be totally removed until the final dput() is called on it. But this is not true with the event file descriptor that is already freed. If the user does a write to or simply closes the file descriptor it will reference the event file descriptor that was just freed, causing a use-after-free bug.

 To solve this, add a ref count to the event file descriptor as well as a new flag called FREED. The file will not be freed until the last reference is released. But the FREE flag will be set when the event is removed to prevent any more modifications to that event from happening, even if there's still a reference to the event file descriptor.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?670c683e

http://www.nessus.org/u?723339c2

https://nvd.nist.gov/vuln/detail/CVE-2023-52879

Plugin Details

Severity: Medium

ID: 281322

File Name: unity_linux_UTSA-2025-993278.nasl

Version: 1.1

Type: local

Published: 12/31/2025

Updated: 12/31/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2023-52879

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/UOS-Server/release, Host/UOS-Server/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/31/2025

Vulnerability Publication Date: 12/14/2023

Reference Information

CVE: CVE-2023-52879