linux kernel

The Linux kernel CVE-2025-38173 has been assigned to a small but consequential fix in the Marvell CESA crypto driver: the kernel now explicitly handles zero‑length skcipher requests by returning 0 instead of dereferencing memory it shouldn't touch. The change is tiny in code — a defensive check...

The Linux kernel received a surgical but important fix for an out‑of‑bounds write in the Microchip/Marvell lan743x Ethernet driver, tracked as CVE‑2025‑38183, that corrects a mismatch between the number of supported PTP event channels and the size of the internal timestamp array — a programming...

A kernel-level Thunderbolt bug tracked as CVE‑2025‑38174 — described upstream as "thunderbolt: Do not double dequeue a configuration request" — has been assigned after reports of kernel crashes caused by a double-dequeue operation in the Thunderbolt configuration request path. The immediate...

The Linux kernel received a targeted fix for F2FS that prevents a kernel panic when the filesystem’s on-disk metadata disagrees with per-inode mapped-block counts — a sanity-check was added around sbi->total_valid_block_count so the system logs the inconsistency and marks the filesystem for fsck...

The Linux kernel fix labeled CVE-2025-38160 patches a simple but meaningful null-pointer check omission in the Raspberry Pi clock driver: a call to devm_kasprintf() in raspberrypi_clk_register() could return NULL on allocation failure and the caller did not guard against that, allowing a kernel...

A bug in the Linux kernel’s hardware-monitoring driver for ASUS embedded‑controller sensors — tracked as CVE‑2025‑38142 — was fixed upstream this summer, and Microsoft’s advisory for the issue explicitly attests that Azure Linux is a product that includes the affected open‑source component...

The short answer is: No — Azure Linux is not necessarily the only Microsoft product that could include the vulnerable ath9k_htc code, but it is the only Microsoft product Microsoft has publicly attested so far as “including this open‑source library and therefore potentially affected.” That...

The Linux kernel patch that closed a net/mdiobus flaw assigned CVE-2025-38110 has drawn renewed attention to how large vendors — Microsoft included — publish product-level attestations for open-source components and what those attestations actually mean for operators running other...

The Linux kernel patch that closed CVE-2025-38108 — a race in net_sched’s RED implementation (__red_change) — is a reminder that a named distributor’s attestation about a component is a valuable, product-scoped signal, not a universal proof that the component cannot appear elsewhere inside the...

The Linux kernel fix for CVE-2024-44931 patches a small but security-sensitive bug in GPIO handling that could allow userspace to induce speculative reads outside a GPIO descriptor array, and Microsoft’s public advisory names Azure Linux as a product that “includes this open‑source library and...

The Linux kernel received a targeted fix for a subtle but disruptive bug in its object‑aggregation helper: CVE‑2024‑43846 — “lib: objagg: Fix general protection fault”, a defect that can trigger a general protection fault (GPF) and turn routine operations into a local denial‑of‑service condition...

A deceptively small bug in the Linux kernel’s virtual Wi‑Fi driver — tracked as CVE‑2024‑43841 — has prompted an important question from customers: when Microsoft’s update guide states that “Azure Linux includes this open‑source library and is therefore potentially affected,” does that mean...

Microsoft’s brief FAQ line — “Azure Linux includes this open‑source library and is therefore potentially affected” — is accurate as a product‑level inventory statement, but it is not a technical guarantee that no other Microsoft product can include the same vulnerable code; the true blast radius...

A divide‑by‑zero bug in the Linux kernel’s serial core — tracked as CVE‑2024‑43893 — can be triggered by a malformed TIOCSSERIAL ioctl and lead to a kernel oops that knocks a host offline; the defect has been fixed upstream and backported into stable trees, but administrators and embedded device...

The recent CVE entry for CVE-2024-43891 — a Linux kernel tracing fix described as “tracing: Have format file honor EVENT_FILE_FL_FREED” — prompted a familiar question among Azure customers and enterprise operators: when Microsoft’s MSRC page says “Azure Linux includes this open‑source library...

A subtle race in the Linux SCSI qla2xxx driver that could crash hosts during NPIV or firmware reset sequences has been publicly documented as CVE-2024-42287; upstream maintainers have issued a targeted fix (complete command handling while holding the driver lock) and major distributions have...

A subtle pointer mix-up in the Linux kernel’s mISDN telephony driver — a use‑after‑free in hfcmulti_tx() — landed as CVE‑2024‑42280 and serves as another clear reminder that tiny lifecycle mistakes in kernel code can produce outsized operational pain for operators and vendors alike. The flaw is...

A subtle but consequential resource‑leak fix for the Linux kernel’s octeontx2‑pf driver — tracked as CVE‑2023‑52905 — closes a hole in the Virtual Function (VF) unbind path where allocated structures (notably mcam entries for Ntuple features and hash tables used by the traffic‑control (tc) code)...

The Linux kernel fix tracked as CVE-2022-48893 addresses a long-standing robustness gap in the Intel i915 DRM driver: when driver initialization aborts partway through GT/engine discovery, some engine structures could remain only partially initialized, leaving their cleanup hooks unset...

The Linux kernel received a surgical fix for a subtle JFS bug that could trigger a shift-out-of-bounds in the dbDiscardAG routine — a condition that, if exercised on vulnerable kernels, can cause kernel instability and denial-of-service. The problem is small in code footprint but meaningful in...