Detections
Analytics

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-005062)

medium Nessus Plugin ID 296823

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005062 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete

 FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following:

 DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ...
 --> dwc3_stop_active_transfers()
 --> dwc3_gadget_giveback(-ESHUTDOWN)
 --> ffs_epfile_async_io_complete() ffs_aio_cancel()
 --> usb_ep_free_request() --> usb_ep_dequeue()

 There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application.
 As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer.

 commit b566d38857fc (usb: gadget: f_fs: use io_data->status consistently) relocated the usb_ep_free_request() into ffs_epfile_async_io_complete().
 However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock.

 Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it.

 This fix depends on commit b566d38857fc (usb: gadget: f_fs: use io_data->status consistently)

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?0f5163dd

http://www.nessus.org/u?27b57a13

https://nvd.nist.gov/vuln/detail/CVE-2024-36894

Plugin Details

Severity: Medium

ID: 296823

File Name: unity_linux_UTSA-2026-005062.nasl

Version: 1.1

Type: local

Published: 1/27/2026

Updated: 1/27/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-36894

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.9

Vector: CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/UOS-Server/release, Host/UOS-Server/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 1/27/2026

Vulnerability Publication Date: 4/9/2024

Reference Information

CVE: CVE-2024-36894