cve 2025 38476

CVE-2025-38476 is a Linux kernel vulnerability in the IPv6 route-probing/lwtunnel code that can lead to a use-after-free condition detectable under KASAN testing. The flaw is addressed by an upstream patch described as 'rpl: Fix use-after-free in rpl_do_srh_inline'. Microsoft's Security Response Center (MSRC) has published an attestation stating that Azure Linux includes the implicated open-source component and is therefore potentially affected. Microsoft has also committed to expanding its machine-readable CSAF/VEX attestations as it inventories additional product artifacts. This tag covers discussions about the vulnerability, the patch, and Microsoft's response for Azure Linux users.