CVE-2024-41067: Azure Linux Btrfs Bug and Microsoft Attestation

The Linux kernel bug tracked as CVE‑2024‑41067 — a Btrfs scrub path error that can trigger an ASSERT and host instability — has been publicly fixed upstream, and Microsoft’s published advisory names Azure Linux as a Microsoft‑branded product that includes the affected open‑source component and is therefore “potentially affected.” That wording is an authoritative, product‑scoped attestation for Azure Linux, but it is not proof that no other Microsoft product or image can carry the same vulnerable Btrfs code; operators must treat other Microsoft‑distributed kernel artifacts (notably the WSL2 kernel and any Microsoft‑published VM images that include custom kernels) as unverified until they are inspected or explicitly attested by Microsoft.

---

Background / Overview​

What the bug is, technically​

CVE‑2024‑41067 is a Linux kernel Btrfs bug in the scrub code that arises when the RST (raid stripe table / RST) lookup fails while an empty bio (bbio) is processed. The empty bio path leads scrub_read_endio to iterate bio vectors and compute a sector index that can equal stripe->nr_sectors, triggering an ASSERT and a kernel crash or oops. Upstream maintainers changed the allocation/lookup ordering (map the block first, then allocate the bio) to avoid handling an empty bbio and to close a race window in the old code.

Where this shows up in vendor tracking​

Mainstream vulnerability trackers (NVD, OSV, vendor security pages such as Ubuntu and SUSE) recorded the issue as a kernel bug with an availability impact (local‑vector kernel crash / denial‑of‑service), and distribution kernels began receiving fixes in their stable branches soon after the upstream patch landed. Those advisories map the upstream commits and identify which distribution kernel releases include the fix.

---

Microsoft’s public statement: what it actually says​

Microsoft’s Security Response Center entry for this CVE (the MSRC / Security Update Guide entry) states that “Azure Linux includes this open‑source library and is therefore potentially affected.” Microsoft also committed to publishing CSAF/VEX machine‑readable attestations (starting with Azure Linux) and to update the CVE mapping if other Microsoft products are discovered to ship the same upstream component. That phrasing is an inventory attestation — authoritative for the Azure Linux product family — and an explicit promise to expand the mapping if further product carriers are found.
Important nuance: Microsoft’s statement describes what it validated so far. It is not a universal negative assertion about every Microsoft SKU, image, or kernel artifact. Large vendors typically publish VEX/CSAF attestations in phases; beginning with Azure Linux is a pragmatic choice but leaves a residual verification requirement for other Microsoft‑distributed artifacts.

---

Is Azure Linux the only Microsoft product that includes Btrfs and could be affected?​

Short answer: No — not necessarily.
Long answer: Azure Linux is the only Microsoft product Microsoft has publicly attested to include the implicated Btrfs code for this CVE at the time of the advisory, but other Microsoft‑distributed kernel artifacts (notably the WSL2 kernel builds, Azure kernel packages used in some images, and any Microsoft‑curated Marketplace or AKS node images that embed a kernel) may also contain the same upstream sources depending on how those artifacts were built and configured. Those other artifacts remain unverified until Microsoft publishes attestations for them or until you inspect the artifacts yourself.

Why that distinction matters​

• A VEX/CSAF attestation is a per‑product inventory statement: it says “we checked this product and the component is present.” It does not say “we checked every Microsoft product and only this one contains it.”
• Kernel components are an artifact‑level property: inclusion depends on the kernel version, build‑time CONFIG flags (e.g., CONFIG_BTRFS), whether the code is built in or provided as a module, and whether the particular kernel build included the upstream commit that fixed the bug. Two Microsoft images built on different dates or by different teams can therefore diverge in exposure.

---

Other Microsoft artifacts you should treat as candidates for inspection​

Below are the Microsoft product surfaces that commonly ship or host Linux kernels and therefore could plausibly carry Btrfs code depending on kernel config/version:

• WSL2 (Windows Subsystem for Linux) kernel image(s). Microsoft publishes and maintains the WSL2 kernel source and binary releases; the WSL kernel has historically included many filesystem drivers and — in recent releases — module support. Whether a particular WSL kernel build includes Btrfs depends on the kernel configuration used for that release. Inspect the running WSL kernel or the WSL release notes to confirm.
• Microsoft‑published Azure kernels / linux‑azure artifacts. Some Azure images use “linux‑azure” or Azure‑targeted kernel packages; those kernel builds are a primary distribution vector for filesystem code in cloud images and are often the same family Microsoft refers to when it says “Azure Linux.” Other kernel‑azure packages used by partner images may also include Btrfs.
• Azure Marketplace VM images, AKS node images, and curated container images. Microsoft hosts many partner images in the Marketplace; these images can contain vendor or Microsoft‑customized kernel builds. Unless the Marketplace image is explicitly covered by Microsoft’s VEX/CSAF output for this CVE, treat these images as requiring verification.
• Custom WSL kernels and other user‑configured kernels. Many users build and deploy custom WSL kernels (and Microsoft documents how to do this). If you or your developers supply a custom kernel, you are responsible for verifying that kernel’s upstream commit status and config.
• Windows native OS images (desktop/server): The Windows NT kernel does not ship the Linux Btrfs code as part of Windows itself. A plain Windows installation without WSL2 or third‑party WinBtrfs drivers is not directly affected by a Linux kernel Btrfs bug. However, third‑party Windows drivers that reimplement Btrfs (independent projects) are separate projects and require separate vetting.

---

How to verify whether a given Microsoft artifact in your environment is affected​

Verification is an artifact‑level exercise: check the actual kernel binary and configuration. The basic triage steps below are practical and repeatable; use them across VMs, WSL instances, container nodes and any image artifacts you manage.

Quick triage checklist (run on each candidate artifact)​

• Gather kernel identity:
• uname -a — capture the kernel string and vendor tag.
• Check for Btrfs support in kernel config:
• zcat /proc/config.gz | grep -i CONFIG_BTRFS
  or
  grep -i CONFIG_BTRFS /boot/config-$(uname -r)
• Check whether the Btrfs module or filesystem is present or loaded:
• lsmod | grep btrfs
• modinfo btrfs (to see module version and path)
• cat /proc/filesystems | grep btrfs
• findmnt -t btrfs (to see mounted btrfs filesystems)
• Map your kernel build to upstream fixes:
• Use the vendor kernel changelog or distribution advisory to find whether the upstream commit(s) closing CVE‑2024‑41067 are present in that kernel build. NVD/OSV entries list the upstream commits you can use for mapping.
• If you use WSL2:
• From inside WSL: uname -r ; zcat /proc/config.gz | grep -i CONFIG_BTRFS
• Compare the kernel string to Microsoft’s WSL kernel release notes or the WSL2‑Linux‑Kernel repository to see whether the published build included Btrfs or the upstream fix.

(These commands are reproducible across Linux VMs and WSL instances; run them centrally via orchestration or agent tooling to inventory an estate.

---

Practical remediation and mitigation guidance​

• If Microsoft (Azure Linux) or your distribution vendor publishes a patched kernel image, apply it and schedule a controlled reboot/replacement for all affected nodes. Azure Linux customers should prioritize Microsoft’s kernel updates for Azure Linux images that the VEX/CSAF attestation marks as KnownAffected or Fixed.
• For WSL2 users: update Windows and WSL to pick up any Microsoft‑shipped fixed WSL kernel image, or build and deploy a custom WSL kernel that includes the upstream fix if Microsoft has not yet published one for your channel. Confirm WSL kernel version after the update with uname -r.
• If you cannot patch immediately:
• Avoid mounting or using Btrfs volumes on hosts that process untrusted workloads.
• Remove or blacklist the btrfs module where possible (modprobe -r btrfs), understanding that built‑in kernels cannot unload built‑in filesystem support.
• Isolate workloads that might exercise the scrub path (e.g., storage maintenance jobs, fs scrub or verification runs) and restrict who can perform scrub operations.
• Monitor kernel logs for btrfs‑related warnings/OOPS and maintain telemetry for any suspicious kernel ASSERTs.
• For Azure customers using Marketplace or AKS node images: inventory which image families your clusters and VMs are running. If a node image is vendor‑managed, rely on the vendor package updates; if it’s Microsoft‑curated, watch MSRC and the product VEX/CSAF for updated attestations.

---

Critical analysis: strengths of Microsoft’s approach and residual risks​

Notable strengths​

• Transparency and machine‑readable attestations. Microsoft’s commitment to publish CSAF/VEX attestations for Azure Linux and to expand mappings over time is a positive step for enterprise automation and supply‑chain clarity. A named attestation gives Azure Linux customers a clear remediation starting point.
• Product‑scoped clarity. By declaring the product family (Azure Linux) explicitly, Microsoft reduces guesswork for many Azure customers and enables automated triage via VEX feeds.

Residual risks and limitations​

• Attestation ≠ exhaustiveness. Microsoft’s initial mapping is product‑scoped; absence of a product from the VEX/CSAF output is not proof the product is unaffected. Other Microsoft artifacts (WSL kernels, Marketplace images, linux‑azure builds) might include the same code and are only “not yet attested,” not conclusively safe. Administrators must not conflate Microsoft’s attestation for Azure Linux with a global negative assurance across all Microsoft SKUs.
• Artifact variability. Kernel exposure depends strongly on build‑time configuration (CONFIG_BTRFS), whether Btrfs is built in or modular, and whether the build included the upstream commits. Two images with the same marketing name can ship different kernel builds. That variability makes automated, cross‑product inventorying essential.
• Operational lag in third‑party images. Marketplace images, partner appliances, and infrequently updated images can remain vulnerable long after upstream patches exist. These long‑tails require dedicated inventory and rebuild campaigns.

---

Flagging unverifiable claims and caveats​

• Any public statement that “WSL is/ is not affected” requires artifact‑level verification: the WSL kernel build and config must be inspected to determine whether the vulnerable Btrfs paths are present. While the WSL2 kernel repository and release notes are publicly available (so you can often check), there is no global blanket statement that covers all custom and vendor‑patched WSL kernels — custom builds remain the operator’s responsibility to audit. Treat claims about WSL exposure as conditional until you verify the kernel build string and config.
• Microsoft’s MSRC entry and VEX/CSAF outputs are the authoritative source for Microsoft’s own product attestations. If you need absolute assurance about a specific Microsoft image or product, rely on Microsoft’s updated VEX feeds or request an SBOM/attestation for the specific artifact. Absence from VEX is “not yet attested,” not “not affected.”

---

Recommended action plan for operations teams (concise)​

• Inventory all systems that run Linux kernels or WSL on Microsoft platforms (Azure VMs, AKS nodes, WSL2 hosts, Marketplace images).
• Run the triage checklist commands across that fleet to detect Btrfs presence (uname, /proc/config.gz, lsmod, findmnt).
• Map kernel build strings to upstream CVE fix commits (use NVD/OSV vendor advisories and distro changelogs).
• Prioritize remediation for: (a) Azure Linux images Microsoft has attested as KnownAffected, (b) exposed multi‑tenant hosts or nodes that mount Btrfs volumes, and (c) WSL nodes used in CI or multi‑user developer machines.
• Apply patched kernel images or vendor package updates; schedule reboots or node replacements as necessary.
• If patching is delayed, mitigate by unloading btrfs where possible, isolating workloads that perform scrub operations, and tightening who can execute filesystem maintenance operations.

---

Conclusion​

Microsoft’s statement that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate and operationally useful — it is an authoritative attestation for Azure Linux that should prompt immediate remediation for customers running those images. However, that sentence is intentionally scoped: it reports what Microsoft has validated so far, not a universal guarantee that no other Microsoft product contains the same upstream Btrfs code. WSL2 kernels, kernel‑azure artifacts, Marketplace images and any Microsoft‑published kernel builds remain plausible carriers and must be verified at the artifact level. Operators should treat Microsoft’s VEX/CSAF outputs as the authoritative starting point for Azure Linux, and then run the artifact‑level triage checklist across their estate to determine exposure and apply patches or mitigations without delay.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center