CVE-2024-45025: Linux Bitmap Bug, Azure Linux Attestation, and VEX Guidance

The Linux kernel CVE‑2024‑45025 — a subtle bitmap‑copy bug that can leave stale bits set after a call to close_range() when used with the CLOSERANGE_UNSHARE flag — has been fixed upstream, and Microsoft’s public guidance currently identifies Azure Linux as the Microsoft product family they have mapped to the upstream component. That Microsoft attestation is important and actionable for Azure Linux customers, but it is not a categorical guarantee that no other Microsoft product ever included the same vulnerable code. In plain terms: Microsoft has confirmed and published Azure Linux as known‑affected/known‑mapped in their new CSAF/VEX attestation stream, but other Microsoft kernels or images could also include the vulnerable code depending on their base kernel version and build configuration — and those products need their own mapping and verification before they can be declared “not affected.”

---

Background / Overview​

CVE‑2024‑45025 is an upstream Linux kernel bug that affects the copying of file‑descriptor bitmaps inside the kernel. The problem arises in copy_fd_bitmaps(): the function expects to copy the first count/BITS_PER_LONG bits from an old bitmap and clear the remainder, but its implementation copied a number of words computed from the bit count and then memset the leftover words — a pattern that can leave a trailing word containing “garbage” bits when the caller’s assumptions aren’t satisfied. In the specific reproducer scenario, this can produce observable incorrect file descriptor behavior after a call to close_range(from, to, CLOSERANGE_UNSHARE), for example causing dup(0) to return an unexpectedly high descriptor even though lower descriptors appear closed. The bug was assigned CVE‑2024‑45025 and fixed by introducing a cleaner helper that copies-and‑expands bitmaps correctly.
Why this matters: file descriptor bookkeeping is fundamental to process behavior. The bug does not directly allow arbitrary remote code execution, but it can cause incorrect process behavior and in edge cases create predictable resource management anomalies that could be abused in local attack chains or cause availability problems in daemons and containers. Most distros reacted quickly with patches or backports for multiple kernel series.

---

Technical summary (what the fix changed)​

• Root cause: improper handling of the last partially used word when copying bitmaps (mismatched units between the copy and the memset). In some callers the assumptions about bits past the cutoff being zero did not hold, creating potential garbage left in the last copied word.
• Fix: upstream introduced a new helper (named in patches as something like bitmap_copy_and_expand) and adjusted copy_fd_bitmaps() to take the bitmap size in words rather than bits, so copying and clearing are unambiguous and safe. The patch also added a regression/functional test to the kernel selftests (close_range_test.c).
• Affected kernel series: distributions and vulnerability trackers listed affected ranges across multiple stable branches; administrators should treat kernels in older stable series (and many cloud kernel builds) as potentially vulnerable until patched. Exact vulnerable ranges vary by vendor and backport status.

---

Microsoft’s public position: what they said and what it means​

Microsoft’s security guidance (the MSRC pages and related CSAF/VEX activity) states that Azure Linux (Microsoft’s Azure Linux distribution / CBL‑Mariner lineage and Azure‑curated kernels) includes the upstream component that contained the bug and therefore is potentially affected. Microsoft also explains that they began publishing machine‑readable CSAF + VEX attestations (for Azure Linux first) in October 2025 as part of a staged approach to increase transparency. Their wording — repeated across several Linux CVE advisory pages — makes two operational points:

• Microsoft has mapped Azure Linux to the upstream bits and published attestation/status for that product family. That gives Azure Linux customers an authoritative, machine‑readable statement about whether a given CVE impacts that product.
• Microsoft will update the CVE/attestation if impact to additional Microsoft products is identified. The phrasing is intentionally conservative — it is an inventory/attestation statement for products Microsoft has evaluated and published, not an exhaustive denial of the same code potentially existing in other Microsoft software artifacts. In other words: Microsoft is saying “we have verified and are attesting Azure Linux,” and they will expand attestation to other product lines over time.

This wording is consistent with good VEX practice: publish product‑specific exploitability/impact status rather than global assertions for a vendor’s entire catalog. Practically, that means you should treat Azure Linux VEX/CSAF outputs as authoritative for Azure Linux, and treat other Microsoft products as requiring their own mapping or confirmation.

---

Is Azure Linux the only Microsoft product that could be affected?​

Short answer: No — but Microsoft has only publicly attested Azure Linux so far.
Longer explanation and evidence:

• Microsoft has explicitly published VEX/CSAF attestation for the Azure Linux family and is using that as the first product family to release machine‑readable impact statements. That is the authoritative statement you should rely on for Azure Linux.
• Microsoft also ships and maintains several different Linux kernel artifacts in its ecosystem. Examples include:
• The Windows Subsystem for Linux (WSL2) kernel (Microsoft maintains kernel source in a public repo and ships kernel binaries via Windows Update or WSL updates). WSL kernels are built from a Microsoft branch that is rebased to upstream LTS versions; the presence of a vulnerability depends on which upstream base and commits are included in the particular WSL kernel that a Windows build uses.
• Cloud images and cloud kernels used by Azure VMs (for example Ubuntu’s linux‑azure kernels or vendor‑curated kernels), AKS node images, and curated Marketplace images — many of these kernel artifacts are built by distribution partners but are distributed and supported as part of Azure VM images. Whether those artifacts are vulnerable depends on kernel version + vendor patches.
• Other Microsoft projects that embed or ship Linux components (various appliance or IoT images, partner kernels, or trimmed kernel builds) — again, inclusion is a function of the base kernel and configuration.

Because Microsoft’s public VEX rollout is phased and because Microsoft has multiple, independently built kernel artifacts across products, the mere fact that Azure Linux is attested does not guarantee that WSL, Marketplace images, or other Microsoft‑distributed kernels are unaffected — they simply haven’t necessarily been mapped yet in Microsoft’s CSAF/VEX outputs. In short: Azure Linux is the product Microsoft has certified and mapped so far; it is not an absolute claim that no other Microsoft product could ever contain the upstream vulnerable code.

---

Independent verification: what public trackers and vendors say​

Multiple independent vulnerability databases and distribution trackers documented CVE‑2024‑45025, described the bug and patch, and listed affected kernel series. Those include NVD, Debian security tracker, distribution advisories and cloud OS vendors (Amazon Linux, Oracle/Oracle Linux, Debian/Ubuntu, Red Hat, etc.). These independent records corroborate the technical description, the existence of a stable upstream patch, and the distribution backports. They also show which kernel branches and vendor kernels were considered vulnerable before backports. Administrators should consult their distribution or cloud‑image vendor advisories for the exact package/binary fixes.
Key confirmations from independent sources:

• NVD and Debian both document the bug description and the fix approach (bitmap copy helper and change to copy_fd_bitmaps()).
• Distribution advisories and cloud vendors published fixes and indicated which kernel packages were updated (Ubuntu’s linux‑azure packaging, Azure Linux kernel updates, vendor stable kernels across 4.19–6.x lines were patched or scheduled for patches). That demonstrates this was treated as a kernel bug requiring per‑vendor tracking and per‑artifact updates.

---

Practical guidance for administrators and developers​

If you run Microsoft‑published images, WSL, or Azure services, follow this checklist.

• Identify the kernel artifact you are running
• On a Linux VM or container, run: uname -r (or look at the distro/kernel package). On Azure Marketplace images or AKS nodes, check the node image/kernel package version used by the node pool. For WSL on Windows, inspect the WSL kernel version shipped to your system or the WSL kernel release in the Microsoft WSL repo/Windows Update logs. These are the authoritative indicators whether your kernel base could be within the vulnerable ranges.
• Map your kernel version to vulnerable ranges and vendor advisories
• Consult vendor advisories (your distro or cloud image provider) and public trackers (NVD/Debian/OSV) for the CVE to see if your kernel series and package versions are listed as vulnerable or patched. Vulnerable series for CVE‑2024‑45025 were tracked across multiple stable branches; vendor advisories list which package versions include the fix.
• Prioritize patching where necessary
• If your kernel package or image is listed as vulnerable, apply the vendor or cloud provider kernel updates as soon as practicable. For Azure Linux customers, Microsoft’s published VEX/CSAF outputs and Azure Linux kernel updates are the authoritative update path. For WSL users, ensure Windows Update/WSL updates are applied (or follow the WSL kernel update guidance and rebuild using the updated microsoft/WSL2‑Linux‑Kernel source if you use a custom kernel).
• Mitigation if immediate patching is not possible
• This bug’s practical exploitability is limited and local: it requires local actions that exercise close_range(CLOSERANGE_UNSHARE) under specific conditions. If you cannot patch immediately, reduce exposure by limiting untrusted local user access, enforcing least privilege, and isolating multi‑tenant workloads until patched kernels are deployed. Also monitor vendor advisories and Microsoft’s VEX/CSAF feeds for product attestation updates.
• Audit Microsoft product attestations (CSAF/VEX)
• Microsoft publishes CSAF and VEX artifacts for Azure Linux and is expanding the program. If you rely on Microsoft‑supplied kernels (WSL, Azure VM images, AKS images), watch Microsoft’s security advisory pages and the published VEX files for product‑level attestations. Do not assume an absence of an attestation equals “not affected”; instead, check the VEX/CSAF file for product‑specific status (Not Affected / Under Investigation / Known Affected / Fixed).

---

Risk analysis: why the wording matters for enterprise defenders​

Microsoft’s statement that Azure Linux “includes this open‑source library and is therefore potentially affected” is careful and operationally useful, but it does two things that defenders need to treat distinctly:

• It creates an authoritative record for one product family (Azure Linux) that Microsoft has scanned and attested. That’s actionable for teams that run that product: you can immediately map the VEX file to your assets and apply the indicated fix or mitigation.
• It does not constitute a blanket warranty about the presence/absence of the vulnerable code in every Microsoft‑distributed kernel artifact. Because Microsoft builds and ships multiple kernel variants (WSL, Azure kernels, image kernels), the only way to be sure about other products is to either:
• Rely on Microsoft’s product‑level VEX/CSAF statements for those products once they are published, or
• Independently verify by checking the kernel version and vendor/distro advisories that cover the exact artifact you run.

This nuance is why many security teams prefer two parallel actions: (a) consume vendor attestation feeds (CSAF/VEX) where available; and (b) independently inventory kernel versions on systems and cross‑reference with public CVE trackers and vendor advisories. Together, those two measures reduce the risk of blind spots caused by phased attestation rollouts.

---

Case examples and what to watch for​

• Azure Linux customers: Microsoft’s Azure Linux kernel updates and VEX attestations are the canonical place to look for status and patches for CVE‑2024‑45025. Apply the Azure Linux updates Microsoft publishes; Azure Linux was explicitly mapped by Microsoft’s initial VEX rollout.
• WSL users: WSL2 uses a Microsoft‑maintained kernel branch. The kernel base used by WSL (for a given Windows release or WSL distribution) determines whether the upstream bug existed in that build. WSL users should ensure Windows Update/WSL updates are installed and follow WSL kernel guidance from Microsoft; if you run a custom kernel in WSL you must build from a patched upstream tree or pull Microsoft’s updated WSL kernel source that contains the fix.
• Azure VM / Marketplace image users: many Marketplace images use vendor kernels (e.g., Canonical’s linux‑azure); those vendors publish their own advisories and package updates. If you use a Marketplace image, check both the image vendor advisory and Microsoft’s documentation about the image for patch guidance, because kernels distributed as part of cloud images receive fixes either from the distro vendor or via image updates.

---

Caveats and unverifiable claims​

• Microsoft’s MSRC pages for many Linux CVEs are web apps that render content via JavaScript; archived snapshots and Microsoft’s own blog confirm Microsoft’s VEX/CSAF strategy and the Azure Linux first rollout. The MSRC phrasing should be read as a product‑attestation statement, not a global exclusion. Analysts should not infer from Microsoft’s wording that only Azure Linux ever ships the affected code; rather, treat it as “Azure Linux is confirmed/mapped — others will be updated if identified.”
• The precise list of Microsoft artifacts that contain the vulnerable code at a given moment depends on how Microsoft rebased or backported upstream patches into each kernel branch or product. We cannot, from outside the Microsoft build systems, say with complete certainty that every Microsoft kernel artifact lacks the vulnerability unless Microsoft’s VEX file or the distro vendor’s advisory explicitly states “Not Affected” or “Fixed” for that artifact. That’s why combining CSAF/VEX consumption with direct inventory of kernel versions and vendor advisories is the safest operational approach.

---

Recommendations (operational checklist for WindowsForum readers and IT teams)​

• Inventory: run uname -r and package manager checks across all hosts (VMs, containers, WSL instances, Azure node pools) to collect kernel versions and packaged kernel release identifiers.
• Cross‑reference: map those versions to vendor advisories (Ubuntu/linux‑azure, Azure Linux, your distro) and public CVE trackers (NVD, Debian security tracker, OSV). If a kernel package is listed as vulnerable, schedule patching.
• For WSL: ensure Windows Update/WSL updates are current; if you run a custom WSL kernel, rebuild or obtain the patched kernel source from microsoft/WSL2‑Linux‑Kernel or use the updated binary Microsoft distributes.
• For Azure: use the Azure portal and vendor advisories to identify which images/node pools need patch or replacement; apply Azure Linux updates where the Microsoft VEX/CSAF attestation indicates a fix is available.
• Monitor Microsoft’s CSAF/VEX feeds: as Microsoft expands product attestations beyond Azure Linux, additional Microsoft products will be listed as Not Affected / Fixed / Under Investigation. Integrate those feeds into your vulnerability management pipeline if possible.
• Least privilege and isolation: where immediate patching is infeasible, reduce untrusted local access and isolate services that could be used to reproduce the edge case (close_range() with CLOSERANGE_UNSHARE) until the kernel is updated.

---

Conclusion​

Microsoft’s public advisory and VEX/CSAF work is a welcome improvement in vendor transparency: Azure Linux has been explicitly mapped and is the Microsoft product family Microsoft has attested as including the upstream component that initially contained CVE‑2024‑45025. That attestation gives Azure Linux customers a clear, machine‑readable path to determine impact and remediation.
However, the presence of the vulnerable code is a function of kernel version and build configuration, and Microsoft ships multiple kernel artifacts across its ecosystem (WSL, Azure images, curated Marketplace images, etc.). Until Microsoft publishes product‑specific VEX attestations or individual product advisories for those artifacts, defenders should not assume they are automatically safe — instead, they should verify kernel versions, consult vendor advisories, and apply kernel updates where required. Combining Microsoft’s CSAF/VEX outputs with independent inventory and vendor advisories is the most reliable operational practice to ensure you have covered every kernel instance that might be vulnerable.

---

---

Source: MSRC Security Update Guide - Microsoft Security Response Center