CVE-2025-37739 is a vulnerability in the F2FS (Flash-Friendly File System) component of the Linux kernel. While Microsoft has publicly attested that the Azure Linux distribution includes the vulnerable code, this does not guarantee that other Microsoft-distributed kernels and images—such as WSL2, linux-azure builds, AKS node images, Marketplace appliances, and custom vendor images—are free from the same vulnerability. Kernel inclusion of F2FS is a build-time choice, and whether an artifact is vulnerable depends on three independent factors: whether the kernel was built with F2FS support, the kernel version or vendor backport status, and the specific configuration. Defenders should verify each artifact independently rather than relying solely on Microsoft's attestation.
-
Microsoft’s published guidance on CVE‑2025‑37739 is accurate but incomplete for defenders: the Azure Linux distribution is the only Microsoft product the company has publicly attested to include the vulnerable F2FS code for this CVE, but that admission does not prove that other...