Detections
Analytics

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-007391)

medium Nessus Plugin ID 307295

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007391 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 dm thin: Fix UAF in run_timer_softirq()

 When dm_resume() and dm_destroy() are concurrent, it will lead to UAF, as follows:

 BUG: KASAN: use-after-free in __run_timers+0x173/0x710 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0 <snip> Call Trace:
 <IRQ> dump_stack_lvl+0x73/0x9f print_report.cold+0x132/0xaa2
 _raw_spin_lock_irqsave+0xcd/0x160
 __run_timers+0x173/0x710 kasan_report+0xad/0x110
 __run_timers+0x173/0x710
 __asan_store8+0x9c/0x140
 __run_timers+0x173/0x710 call_timer_fn+0x310/0x310 pvclock_clocksource_read+0xfa/0x250 kvm_clock_read+0x2c/0x70 kvm_clock_get_cycles+0xd/0x20 ktime_get+0x5c/0x110 lapic_next_event+0x38/0x50 clockevents_program_event+0xf1/0x1e0 run_timer_softirq+0x49/0x90
 __do_softirq+0x16e/0x62c
 __irq_exit_rcu+0x1fa/0x270 irq_exit_rcu+0x12/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0

 One of the concurrency UAF can be shown as below:

 use free do_resume |
 __find_device_hash_cell | dm_get | atomic_inc(&md->holders) | | dm_destroy | __dm_destroy | if (!dm_suspended_md(md)) | atomic_read(&md->holders) | msleep(1) dm_resume |
 __dm_resume | dm_table_resume_targets | pool_resume | do_waker #add delay work | dm_put | atomic_dec(&md->holders) | | dm_table_destroy | pool_dtr | __pool_dec | __pool_destroy | destroy_workqueue | kfree(pool) # free pool time out
 __do_softirq run_timer_softirq # pool has already been freed

 This can be easily reproduced using:
 1. create thin-pool 2. dmsetup suspend pool 3. dmsetup resume pool 4. dmsetup remove_all # Concurrent with 3

 The root cause of this UAF bug is that dm_resume() adds timer after dm_destroy() skips cancelling the timer because of suspend status.
 After timeout, it will call run_timer_softirq(), however pool has already been freed. The concurrency UAF bug will happen.

 Therefore, cancelling timer again in __pool_destroy().

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?f28296c9

http://www.nessus.org/u?9a35b154

https://nvd.nist.gov/vuln/detail/CVE-2022-50563

Plugin Details

Severity: Medium

ID: 307295

File Name: unity_linux_UTSA-2026-007391.nasl

Version: 1.1

Type: Local

Published: 4/17/2026

Updated: 4/17/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:L/AC:H/Au:S/C:P/I:P/A:C

CVSS Score Source: CVE-2022-50563

CVSS v3

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5.1

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/UOS-Server/release, Host/UOS-Server/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/17/2026

Vulnerability Publication Date: 7/21/2021

Reference Information

CVE: CVE-2022-50563