cve 2025 38190

About this tag
CVE-2025-38190 is a vulnerability affecting the ATM subsystem in Azure Linux. Microsoft's official statement confirms that Azure Linux includes the vulnerable open-source library and is potentially affected, but this attestation does not guarantee that other Microsoft products are free of the vulnerable code. Until Microsoft publishes additional VEX or CSAF attestations or per-artifact SBOMs, defenders must verify other Microsoft artifacts independently. The discussion on WindowsForum highlights the need for greater transparency through machine-readable vulnerability exploitability exchange (VEX) for Azure Linux, emphasizing that defenders should not assume safety beyond the explicitly attested products.
  1. CVE-2025-38190: Azure Linux Attestations Spotlight Per Artifact Verification

    Microsoft’s short public line — “Azure Linux includes this open‑source library and is therefore potentially affected by this vulnerability” — is accurate as a product‑level inventory attestation, but it is not a technical guarantee that no other Microsoft product could contain the vulnerable ATM...