CVE-2025-5987 is a vulnerability in libssh caused by a mismatch in return-code semantics between OpenSSL and libssh, where libssh can misinterpret OpenSSL's error return as a success code. This issue, particularly during ChaCha20 initialization under heap exhaustion, affects Azure Linux as Microsoft's advisory confirms the open-source library is included and potentially impacted. Discussions on WindowsForum clarify that Microsoft's attestation is product-scoped and not a claim that Azure Linux is the only affected product. The thread examines the technical details of the flaw, its tracking across vendor databases, and the implications for Azure Linux users, emphasizing the need for patching and careful interpretation of vendor advisories.
-
Microsoft’s short advisory language — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is an accurate, product‑scoped attestation, but it is not a categorical statement that Azure Linux is the only Microsoft product that could ever contain the...