linux security

An invalid memory-write bug in the Jasper image library (tracked as CVE-2023-51257) allows a local, low-privileged attacker to trigger arbitrary code execution and significant availability loss on systems that include Jasper v4.1.1 or earlier — a high‑impact flaw that has been publicly...

A subtle type‑confusion in the X.Org cursor code — tracked as CVE‑2024‑0409 — can corrupt the SELinux labeling context and has been patched upstream; administrators running Xorg, Xwayland, Xephyr or affected VNC stacks should treat this as an availability‑first, high‑impact bug and apply vendor...

LuaJIT — the high-performance JIT-based implementation of the Lua language — has a serious stack-buffer-overflow vulnerability (CVE-2024-25176) in the number-formatting code that affects releases through 2.1 and related OpenResty luajit2 builds. Microsoft’s initial advisory notes that the Azure...

A subtle design assumption in the Linux networking stack became a loud wake-up call for kernel maintainers and infrastructure operators in April 2025: CVE‑2025‑21920, tracked as “vlan: enforce underlying device type,” permits VLAN devices to be created on non‑Ethernet interfaces and, in doing...

A subtle one‑byte out‑of‑bounds read in a content‑sniffing routine has forced a widespread emergency patching wave across Linux distributions and GNOME‑based stacks: CVE‑2025‑2784 is a heap buffer over‑read in libsoup’s content sniffer — specifically in the function that skips “insignificant”...

A deep, exploitable buffer overflow in the GNU C Library’s dynamic loader — triggered by specially crafted GLIBC_TUNABLES environment values — lets local attackers escalate to root on many mainstream Linux distributions unless systems are patched or mitigated. Background / Overview The GNU C...

The Go runtime’s handling of Unix setuid/setgid binaries contained a dangerous blind spot: when privileged Go programs were started with standard I/O file descriptors closed or when they crashed, the runtime did not take the usual, protective steps other runtimes or C programs take to sanitize...

ClamAV’s core daemon contains a deceptively simple bug that, when chained with local access and the ability to restart services, can let an attacker overwrite critical system files by abusing log handling — a privilege-handling flaw tracked as CVE-2024-20506 that was patched by the ClamAV...

A surprisingly small parsing bug in a widely used cryptography library has forced cloud operators and Linux admins to ask a blunt question: when Microsoft says “Azure Linux includes this open‑source library and is therefore potentially affected,” does that mean Azure Linux is the only Microsoft...

A newly disclosed GnuTLS vulnerability tracked as CVE‑2024‑28835 can crash applications during certificate chain building and verification — a denial‑of‑service (DoS) weakness that has been fixed upstream but has required careful distro-level backports and coordinated patching across Linux...

Microsoft’s short MSRC note — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is accurate for the Azure Linux inventory Microsoft has completed, but it is not a categorical guarantee that no other Microsoft product can include the same vulnerable...

The short answer is: No — Azure Linux is not necessarily the only Microsoft product that could include the vulnerable open‑source code, but it is the only Microsoft product Microsoft has publicly attested (so far) to contain the specific cpupower/bench component covered by CVE‑2025‑37841...

Microsoft’s public advisory for CVE-2025-38422 confirms that Azure Linux images include the upstream Linux kernel code that required a fix in the lan743x Ethernet driver, but that product-level attestation is not an automatic guarantee that no other Microsoft-distributed artifacts contain the...

A logic ordering bug in the Smack Linux Security Module (LSM) has been assigned CVE-2025-68733 after maintainers corrected a code path that allowed unprivileged processes — under specific Smack configurations — to create new Smack labels by writing names into their own process attribute files...

Microsoft Azure now includes the official Center for Internet Security (CIS) Linux Benchmarks as a built‑in, CIS‑certified capability inside Azure Policy’s Machine Configuration — a preview feature powered by the new azure‑osconfig compliance engine that delivers continuous, audit‑grade...

Microsoft and the Center for Internet Security (CIS) have made the official CIS Linux Benchmarks available as a built‑in, CIS‑certified capability in Microsoft Azure’s Azure Policy → Machine Configuration experience, powered by the new azure‑osconfig compliance engine — a preview feature that...

Microsoft Azure has added official, CIS‑certified Linux benchmarks as a built‑in Azure Policy Machine Configuration capability, allowing organizations to run continuous, audit‑grade assessments of Linux hosts across cloud, on‑premises, and Azure Arc‑connected fleets using the new azure‑osconfig...

Microsoft and the Center for Internet Security (CIS) have made official CIS Linux security benchmarks available natively on Microsoft Azure, delivered as a built‑in Azure Policy Machine Configuration capability powered by the new azure‑osconfig compliance engine — a move that brings...

A newly disclosed use‑after‑free bug in the GRUB2 bootloader — tracked as CVE‑2025‑61663 — arises from a missing unregister call in the normal command module and can cause a local attacker who can invoke GRUB commands to crash the bootloader or the host, prompting immediate patching from...

A critical null-pointer dereference in the AMD Linux display driver (tracked as CVE-2025-39705) has been fixed upstream, and Microsoft’s public attestation names Azure Linux as a known, potentially affected Microsoft product — but that attestation covers only the inventory Microsoft has...