machine readable attestations

Microsoft’s MSRC entry naming Azure Linux as a product that “includes this open‑source library and is therefore potentially affected” is an authoritative, product‑level attestation — but it is not a categorical guarantee that no other Microsoft artifact or product can include the same vulnerable...

CVE-2025-38311 is an upstream Linux kernel fix that removes a problematic critical lock in the Intel iavf driver; Microsoft’s public guidance currently names Azure Linux (the Azure Linux Distribution formerly CBL‑Mariner) as the Microsoft product that includes the upstream component and is...

Microsoft’s short advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate for the Azure Linux product family — but it is a product‑scoped attestation, not a categorical statement that no other Microsoft product can include the same...

Microsoft’s short advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” correctly reflects what Microsoft has inventory‑checked so far — but it is not a technical guarantee that no other Microsoft product could include the same vulnerable kernel...