linux kernel

A subtle lifecycle bug in the Linux kernel’s PHY subsystem — tracked as CVE-2025-38149 — can cause a kernel crash when a network port is disabled and later re-enabled, and operators should treat the issue as an availability-first vulnerability that demands prompt, targeted patching and careful...

The Linux kernel fix tracked as CVE‑2025‑38143 — described as a NULL pointer dereference in the backlight driver (pm8941) where wled_configure() failed to check devm_kasprintf() — is real, patched upstream, and has been mapped by multiple vendors; Microsoft’s Security Response Center (MSRC)...

A small defensive check landed in the upstream Linux kernel in mid‑2025 that closes a straightforward but dangerous NULL‑pointer dereference in the Aspeed LPC snoop helper — a fix that should be treated as a high‑priority stability update for systems that run Aspeed-based SoCs or BMC firmware...

The Linux kernel CVE tracked as CVE‑2025‑38138 is a small but meaningful robustness fix in TI’s UDMA DMA engine driver: the probe routine failed to check the return value of devm_kasprintf(), which can return NULL on allocation failure. Upstream maintainers fixed the bug by inserting a simple...

The short answer: no — Azure Linux is not necessarily the only Microsoft product that could contain the vulnerable Renesas USBHS code, but it is the only Microsoft product Microsoft has publicly attested (so far) to include the specific upstream component that maps to CVE‑2025‑38136. Treat...

The Linux kernel received a targeted, low‑level fix addressing a hang in the UFS (Universal Flash Storage) SCSI error handler — a bug that can cause sustained or persistent loss of availability by deadlocking kernel threads during device error recovery. The change is small and surgical at the...

Microsoft’s advisory on CVE-2025-38112 confirms a race condition in the Linux kernel networking code — a time-of-check to time-of-use (TOCTOU) flaw in sk_is_readable() that can result in a null-pointer dereference — and while Microsoft has publicly attested this vulnerability for its Azure Linux...

The Linux kernel patch that closed CVE-2025-38111 — a bounds‑check defect in net/mdiobus — is small in code but large in operational impact: it removes a user‑supplied MDIO address from an unchecked ioctl path that could be used to read or write beyond the kernel’s mdiobus statistics array, and...

The Linux kernel patch that fixed CVE-2025-38109 addresses a use‑after‑free during shutdown in the mlx5 driver’s ECVF (embedded chip virtual function) vport teardown — and Microsoft’s public advisory and machine‑readable VEX/CSAF attestation currently name Azure Linux as the Microsoft product...

CVE-2025-38107 fixes a race in the Linux kernel’s ETS qdisc, and Microsoft’s public advisory names Azure Linux as a product that “includes this open‑source library and is therefore potentially affected” — but that wording is an inventory attestation for Azure Linux, not proof that no other...

The Linux kernel bug tracked as CVE‑2025‑38103 — described upstream as “HID: usbhid: Eliminate recurrent out‑of‑bounds bug in usbhid_parse()” — has been fixed in the kernel stable trees, and Microsoft’s Security Response Center (MSRC) has published a product‑level attestation that Azure Linux...

A subtle missing check in the Linux kernel’s AMD DRM display code has been cataloged as CVE-2025-38091 and corrected upstream; the defect can produce kernel warnings and, in some circumstances, a local denial-of-service by allowing the display stack to hit an oops when querying a plane...

The Linux kernel vulnerability tracked as CVE‑2025‑38129 is a use‑after‑free in the page_pool subsystem (page_pool_recycle_in_ring) that can cause kernel memory corruption or panics, and Microsoft’s public advisory naming Azure Linux as a product that “includes this open‑source library and is...

A small, one-line upstream kernel change fixed a subtle hardware‑synchronization bug in the Exynos4 camera driver — but the security conversation that followed has been about more than code: it’s about how vendors map open‑source components to products, what a vendor attestation actually means...

Microsoft’s short MSRC line that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a scoped, product‑level attestation rather than a blanket guarantee that no other Microsoft product could contain the same vulnerable exFAT code. erview...

A subtle race in the Linux kernel’s POSIX CPU timer handling — tracked as CVE-2025-38352 — was fixed upstream in July 2025 after maintainers accepted a small, surgical change that prevents an exiting task from being reaped while posix CPU timer expiry handling is in flight. The flaw could lead...

Microsoft’s short answer — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is an authoritative, product‑level attestation, but it is not a technical guarantee that no other Microsoft product could contain the same vulnerable Linux kernel code...

CVE-2025-38226 is a Linux-kernel vulnerability in the Virtual Video Test Driver (vivid) that can cause a vmalloc out‑of‑bounds write; Microsoft has publicly attested that Azure Linux (the Azure Linux distribution formerly known as CBL-Mariner) includes the affected upstream component, but that...

The Linux kernel team fixed a use‑after‑free in the IPC subsystem — tracked as CVE‑2025‑38212 — and Microsoft’s public CVE entry names Azure Linux as a product that “includes this open‑source library and is therefore potentially affected.” That statement is an authoritative, product‑level...

Microsoft’s short MSRC attestation that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate for CVE‑2025‑38193 — but it is a product‑scoped inventory statement, not a technical guarantee that no other Microsoft product or published image could...