msrc attestation

A recent upstream Linux kernel fix for CVE‑2025‑37961 addresses an uninitialized-value (KMSAN) finding in the IP Virtual Server (IPVS) codepath — specifically an uninitialized saddr value in do_output_route4 — and Microsoft’s Security Response Center (MSRC) has published an attestation that...

The Linux kernel bug tracked as CVE‑2024‑41067 — a Btrfs scrub path error that can trigger an ASSERT and host instability — has been publicly fixed upstream, and Microsoft’s published advisory names Azure Linux as a Microsoft‑branded product that includes the affected open‑source component and...

Microsoft’s brief advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” correctly identifies a scoped, product‑level exposure — but it is not a categorical statement that no other Microsoft product can include the same nvme‑fabrics code that...

Microsoft’s brief advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate as a product‑scoped inventory statement — but it does not mean Azure Linux is technically the only Microsoft product that could include the vulnerable code, and...

The short answer is: No — Azure Linux is not necessarily the only Microsoft product that could include the vulnerable component, but it is the only Microsoft product Microsoft has publicly attested as including the affected code for this CVE at the time of the advisory; absence of an attestation...