linux kernel

The Linux kernel entry for CVE-2025-37812 — described as "usb: cdns3: Fix deadlock when using NCM gadget" — is now public, and Microsoft’s MSRC entry for the CVE states that Azure Linux includes this open‑source library and is therefore potentially affected; however, that MSRC attestation is a...

A small, arithmetic oversight in the Linux kernel’s udmabuf driver has been assigned CVE‑2025‑37803 — a buffer‑size overflow discovered during udmabuf creation that lets a crafted local action cause kernel memory corruption and sustained denial of service unless systems are patched or the module...

The Linux kernel has received a targeted fix for a subtle but real correctness bug in the virtio sound driver that could trigger kernel workqueue warnings and disrupt system availability in virtualized environments: CVE-2025-37805 addresses uninitialized work_structs in the virtio_snd driver so...

Microsoft’s brief MSRC entry on CVE-2025-37800 names Azure Linux as a product that “includes this open‑source library and is therefore potentially affected,” but that product‑level attestation is exactly that — an authoritative inventory statement for Azure Linux, not a technical guarantee that...

The Linux kernel networking scheduler received a surgical but consequential change that was recorded as CVE‑2025‑37798: maintainers removed the historical check of sch->q.qlen (the qdisc’s queue length) before calling qdisc_tree_reduce_backlog(), after first making all qlen_notify() callbacks...

The Linux kernel fix for CVE-2025-37793 patches a straightforward but real null-pointer dereference in the Intel ASoC AVS driver: a missed NULL check on the return value of devm_kasprintf() inside avs_component_probe() can allow a failed allocation to lead directly to a kernel NULL-dereference...

Microsoft’s public mapping for CVE‑2025‑37780 names the Azure Linux distribution as a confirmed carrier of the vulnerable code, but that attestation is a product‑scoped inventory statement — not a mathematical guarantee that no other Microsoft product or image can contain the same vulnerable...

The Linux kernel patch set that closed CVE-2025-37768 fixes a straightforward but impactful arithmetic bug in the AMD DRM driver: under certain conditions the amdgpu power-management code could perform a division by zero when a user-supplied fan speed value exceeded safe bounds, producing a...

A recently disclosed vulnerability in the Linux kernel’s AMD DRM power-management code — tracked as CVE-2025-37769 — allows a carefully crafted input to trigger a division-by-zero inside the SMU11 power-management path, causing kernel crashes and sustained denial-of-service on affected systems...

The Linux kernel vulnerability tracked as CVE-2025-37766 — a division-by-zero flaw in the AMD GPU power-management code (drm/amd/pm) — has reignited an important question for Microsoft customers: when Microsoft’s Security Response Center (MSRC) says “Azure Linux includes this open‑source library...

A new Linux-kernel fix tracked as CVE-2025-37757 closes a straightforward but operationally meaningful bug in the Transparent Inter‑Process Communication (TIPC) transmit path: under backlog pressure the tipc_link_xmit() routine could return -ENOBUFS without purging an skb list, leaking memory...

A small but important bug in the Linux Intel graphics driver (drm/i915/huc) has been cataloged as CVE-2025-37754: a HuC (Firmware for the Host-controller) delayed loading fence that gets registered too early during driver probe can remain uncleaned on early probe errors and later be reallocated...

A subtle but important memory-initialization fix landed in upstream Linux this spring: CVE-2025-37742 patches an uninitialized-value access in the JFS filesystem by ensuring the in-memory imap structure is zeroed when it’s allocated in the diMount() routine. The result is a low-complexity...

CVE-2025-23158 is a high‑impact Linux kernel defect in the Qualcomm/VENUS video driver (the venus hfi subsystem) that allows firmware‑controlled corruption of a queue size field to trigger an out‑of‑bounds write; Microsoft’s public advisory names Azure Linux as a product that “includes this...

The short answer is: No — Azure Linux is not necessarily the only Microsoft product that could include the vulnerable open‑source code, but it is the only Microsoft product Microsoft has publicly attested to include that component so far. Microsoft’s public wording is an explicit, product‑scoped...

The Linux kernel vulnerability tracked as CVE‑2024‑58098 is a targeted but important correctness fix in the eBPF verifier: upstream maintainers changed how the verifier computes and propagates the changes_pkt_data property for global (non-inline) subprograms so that packet-pointer invalidation...

The Linux kernel vulnerability tracked as CVE-2025-37997 is a narrow but meaningful race-condition bug in netfilter’s ipset hash types that was fixed upstream in 2025; Microsoft’s public attestation names Azure Linux (the Azure-distributed Linux family previously known as CBL‑Mariner) as a...

Microsoft’s brief MSRC note that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a product‑scoped attestation, not proof that Azure Linux is the only Microsoft product that could carry the vulnerable Linux kernel code implicated by...

A small, specific memory-leak fix in the Linux kernel’s qibfs module has been assigned CVE‑2025‑37983, and Microsoft’s public attestation currently names the Azure Linux distribution as a confirmed carrier of the affected upstream code — but that attestation does not mean Azure Linux is the only...

The Linux kernel patch for CVE-2025-37973 fixes a bounds-calculation error in the wifi subsystem’s cfg80211 code that could produce an out‑of‑bounds access during multi‑link element defragmentation — and Microsoft’s public advisory names Azure Linux as the Microsoft product the company has...