linux kernel

The Linux kernel patch that closed CVE-2025-38111 — a bounds‑check defect in net/mdiobus — is small in code but large in operational impact: it removes a user‑supplied MDIO address from an unchecked ioctl path that could be used to read or write beyond the kernel’s mdiobus statistics array, and...

The Linux kernel patch that fixed CVE-2025-38109 addresses a use‑after‑free during shutdown in the mlx5 driver’s ECVF (embedded chip virtual function) vport teardown — and Microsoft’s public advisory and machine‑readable VEX/CSAF attestation currently name Azure Linux as the Microsoft product...

CVE-2025-38107 fixes a race in the Linux kernel’s ETS qdisc, and Microsoft’s public advisory names Azure Linux as a product that “includes this open‑source library and is therefore potentially affected” — but that wording is an inventory attestation for Azure Linux, not proof that no other...

The Linux kernel bug tracked as CVE‑2025‑38103 — described upstream as “HID: usbhid: Eliminate recurrent out‑of‑bounds bug in usbhid_parse()” — has been fixed in the kernel stable trees, and Microsoft’s Security Response Center (MSRC) has published a product‑level attestation that Azure Linux...

A subtle missing check in the Linux kernel’s AMD DRM display code has been cataloged as CVE-2025-38091 and corrected upstream; the defect can produce kernel warnings and, in some circumstances, a local denial-of-service by allowing the display stack to hit an oops when querying a plane...

The Linux kernel vulnerability tracked as CVE‑2025‑38129 is a use‑after‑free in the page_pool subsystem (page_pool_recycle_in_ring) that can cause kernel memory corruption or panics, and Microsoft’s public advisory naming Azure Linux as a product that “includes this open‑source library and is...

A small, one-line upstream kernel change fixed a subtle hardware‑synchronization bug in the Exynos4 camera driver — but the security conversation that followed has been about more than code: it’s about how vendors map open‑source components to products, what a vendor attestation actually means...

Microsoft’s short MSRC line that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a scoped, product‑level attestation rather than a blanket guarantee that no other Microsoft product could contain the same vulnerable exFAT code. erview...

A subtle race in the Linux kernel’s POSIX CPU timer handling — tracked as CVE-2025-38352 — was fixed upstream in July 2025 after maintainers accepted a small, surgical change that prevents an exiting task from being reaped while posix CPU timer expiry handling is in flight. The flaw could lead...

Microsoft’s short answer — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is an authoritative, product‑level attestation, but it is not a technical guarantee that no other Microsoft product could contain the same vulnerable Linux kernel code...

CVE-2025-38226 is a Linux-kernel vulnerability in the Virtual Video Test Driver (vivid) that can cause a vmalloc out‑of‑bounds write; Microsoft has publicly attested that Azure Linux (the Azure Linux distribution formerly known as CBL-Mariner) includes the affected upstream component, but that...

The Linux kernel team fixed a use‑after‑free in the IPC subsystem — tracked as CVE‑2025‑38212 — and Microsoft’s public CVE entry names Azure Linux as a product that “includes this open‑source library and is therefore potentially affected.” That statement is an authoritative, product‑level...

Microsoft’s short MSRC attestation that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate for CVE‑2025‑38193 — but it is a product‑scoped inventory statement, not a technical guarantee that no other Microsoft product or published image could...

The Linux kernel CVE-2025-38173 has been assigned to a small but consequential fix in the Marvell CESA crypto driver: the kernel now explicitly handles zero‑length skcipher requests by returning 0 instead of dereferencing memory it shouldn't touch. The change is tiny in code — a defensive check...

The Linux kernel received a surgical but important fix for an out‑of‑bounds write in the Microchip/Marvell lan743x Ethernet driver, tracked as CVE‑2025‑38183, that corrects a mismatch between the number of supported PTP event channels and the size of the internal timestamp array — a programming...

A kernel-level Thunderbolt bug tracked as CVE‑2025‑38174 — described upstream as "thunderbolt: Do not double dequeue a configuration request" — has been assigned after reports of kernel crashes caused by a double-dequeue operation in the Thunderbolt configuration request path. The immediate...

The Linux kernel received a targeted fix for F2FS that prevents a kernel panic when the filesystem’s on-disk metadata disagrees with per-inode mapped-block counts — a sanity-check was added around sbi->total_valid_block_count so the system logs the inconsistency and marks the filesystem for fsck...

The Linux kernel fix labeled CVE-2025-38160 patches a simple but meaningful null-pointer check omission in the Raspberry Pi clock driver: a call to devm_kasprintf() in raspberrypi_clk_register() could return NULL on allocation failure and the caller did not guard against that, allowing a kernel...

A bug in the Linux kernel’s hardware-monitoring driver for ASUS embedded‑controller sensors — tracked as CVE‑2025‑38142 — was fixed upstream this summer, and Microsoft’s advisory for the issue explicitly attests that Azure Linux is a product that includes the affected open‑source component...

The short answer is: No — Azure Linux is not necessarily the only Microsoft product that could include the vulnerable ath9k_htc code, but it is the only Microsoft product Microsoft has publicly attested so far as “including this open‑source library and therefore potentially affected.” That...