kernel security

Microsoft’s short public note that “Azure Linux includes this open‑source library and is therefore potentially affected” is an accurate, product‑scoped attestation — but it is not a categorical guarantee that no other Microsoft product includes the same vulnerable kernel code. Azure Linux is the...

Microsoft’s brief public statement that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a scoped, product‑level attestation rather than an exclusivity guarantee, and it should not be read to mean Azure Linux is the only Microsoft...

A race in btrfs's space bookkeeping has been fixed upstream after discovery of a non-atomic bitfield write in btrfs_clear_space_info_full that can leave the filesystem's reclaim infrastructure in a permanently inconsistent state — tracked as CVE-2025-68358. Background Btrfs is a modern...

A newly assigned CVE, CVE-2025-68372, documents a use-after-free (UAF) race in the Linux kernel’s Network Block Device (NBD) driver that can result in worker-thread access to freed configuration memory. The fix is small but important: the NBD code now defers the final configuration put — calling...

A recently assigned CVE has drawn attention to a subtle but important correctness gap between BPF test infrastructure and the Linux Generic Segmentation Offload (GSO) machinery: CVE-2025-68725 — described as “bpf: Do not let BPF test infra emit invalid GSO types to stack” — fixes a case where a...

A subtle race in the Linux kernel's AF_UNIX code that allowed a kernel function to follow a freed pointer has been patched — the fix closes a null-pointer / use-after-free window in unix_stream_sendpage that could be triggered by carefully crafted local socket operations and file-descriptor...

Microsoft’s public CVE entry and VEX attestation for CVE-2025-38474 names Azure Linux as a Microsoft-maintained product that includes the upstream code in question and is therefore potentially affected, but that statement is a scoped inventory attestation — not a categorical claim that no other...

Microsoft’s short public notice that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate for the Azure Linux images that Microsoft has inventory‑checked — but it is not a technical guarantee that no other Microsoft product contains the same...

Microsoft’s short MSRC advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a product‑scoped inventory attestation, not proof that no other Microsoft product can or does include the same vulnerable code. Background / Overview...

Microsoft’s short public answer — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is accurate for the Azure Linux product family, but it is not a technical proof that no other Microsoft product or image could contain the same vulnerable kernel code...

A small but important fix landed in the Linux kernel’s F2FS codebase has been assigned CVE‑2025‑38347 — a change that introduces a sanity check on inode numbers (ino) and extended-attribute node IDs (xnid) to prevent a class of malformed‑image-induced kernel hangs and panics, and Microsoft’s...

Microsoft’s terse MSRC note that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate for the product it names — but it is a product‑scoped inventory attestation, not a technical guarantee that no other Microsoft artifact can carry the same vulnerable...

Microsoft’s short public answer — that Azure Linux “includes this open‑source library and is therefore potentially affected” — is correct and useful, but it is product‑scoped, not a universal exclusion of other Microsoft artifacts; absence of attestations for other Microsoft products is not...

Microsoft’s brief MSRC wording that “Azure Linux includes this open‑source library and is therefore potentially affected” is factually correct for the Azure Linux product family, but it is a product‑scoped attestation — not a categorical statement that no other Microsoft product could contain...

A recently assigned CVE, CVE-2025-68324, patches a classic kernel glitch in the Linux IMM parallel-port SCSI driver that allowed a use-after-free to occur when a delayed work item was still pending as the driver instance was torn down — the fix adds a synchronous cancellation to ensure the...

Microsoft’s short, machine‑readable advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is an inventory attestation for a single product family, not proof that no other Microsoft artifact can or does contain the same vulnerable...

Microsoft’s MSRC advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a product‑level attestation, not a universal guarantee that other Microsoft products are free of the same Linux kernel Bluetooth code implicated by...

Microsoft’s brief advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a product‑scoped attestation, not a categorical claim that Azure Linux is the only Microsoft product that could include the vulnerable code. Background /...

A recent upstream Linux kernel fix for CVE‑2025‑37961 addresses an uninitialized-value (KMSAN) finding in the IP Virtual Server (IPVS) codepath — specifically an uninitialized saddr value in do_output_route4 — and Microsoft’s Security Response Center (MSRC) has published an attestation that...

Microsoft’s brief MSRC attestation that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate as a product‑scoped inventory statement — but it is not proof that no other Microsoft product could include the same vulnerable Linux kernel component...