CVE-2025-38138: TI UDMA Kernel Fix and Azure Linux Attestation

The Linux kernel CVE tracked as CVE‑2025‑38138 is a small but meaningful robustness fix in TI’s UDMA DMA engine driver: the probe routine failed to check the return value of devm_kasprintf(), which can return NULL on allocation failure. Upstream maintainers fixed the bug by inserting a simple NULL check in udma_probe(), and Microsoft’s MSRC has published an Azure Linux attestation for the vulnerable upstream component — but that attestation is product‑scoped, not an exclusivity guarantee. Operators running Azure Linux should treat the product as a known remediation priority; operators running other Microsoft‑supplied kernels, images, or artifacts should not assume safety until those artifacts are inventoried or attested as Not Affected.

---

Background / overview​

CVE‑2025‑38138 was assigned to a driver‑level null‑pointer dereference in the TI (Texas Instruments) UDMA implementation in the Linux kernel. The fault is simple: devm_kasprintf() can return NULL if a memory allocation fails, and udma_probe() historically used the returned pointer without validating it. If allocation failed and the NULL value was used, a kernel NULL pointer dereference could occur during probe — producing an oops / panic or other stability failure. The upstream kernel CVE announcement records the introduced code and the targeted fixes, and points operators to a set of stable commits that contain the correction.
Why this matters operationally

• The bug is a local robustness defect that primarily affects system availability. A NULL dereference in kernel probe paths typically triggers oopses, panics, or kernel thread crashes that can destabilize hosts.
• The vulnerable code lives in drivers/dma/ti/k3-udma.c, a hardware‑vendor driver for TI K3 UDMA DMA engines. That means only kernels that include that driver (via build configuration) are potentially affected.
• The fix is straightforward and conservative: check for NULL and return -ENOMEM when allocation fails. Upstream commits were applied in the 6.16-rc1 window and backports appear across stable trees as vendors release updates.

Technical provenance and patch locations

• The Linux CVE announcement (linux‑cve‑announce) documents the issue, the affected file, and lists the upstream commits and stable backport commits that fix it; it also specifies the issue was introduced by the original k3‑udma driver commit and then corrected in the 6.16 series.
• The patch itself is minimal — two insertions and one deletion — and is visible in the public patch threads and in the kernel stable commit history. If you cannot upgrade your kernel immediately, the kernel community provides the individual commits that can be applied to vendor kernels, though cherry‑picking kernel fixes is a nontrivial operational exercise and is discouraged unless you have a robust kernel backport/test process.

Independent trackers (NVD, CVE aggregators, distro advisories) have cataloged the CVE and mapped it to package‑level guidance; some vendors have assigned medium‑to‑high availability impact scores and published fixed package versions in their advisories. That vendor mapping varies by distribution and supported kernel series.

---

What Microsoft published — and what that statement actually means​

Microsoft’s Security Response Center (MSRC) entry for the CVE includes a short FAQ line you have likely seen before: that “Azure Linux includes this open‑source library and is therefore potentially affected by this vulnerability.” That sentence is intentionally concise and is part of Microsoft’s phased rollout of machine‑readable CSAF/VEX attestations (announced October 2025). The MSRC guidance also explains Microsoft will update the CVE page if additional Microsoft products are identified as carriers of the same upstream component.
How to read Microsoft’s attestation

• Authoritative for the named product: When Microsoft attests that Azure Linux includes a component, that attestation is an authoritative, inventory‑level statement for the Azure Linux product family. If you run Azure Linux images or kernels, treat Microsoft’s listing as a direct, actionable signal to remediate.
• Not an exclusivity certificate: The attestation is product‑scoped, not an engineering proof that the vulnerable code does not appear in other Microsoft artifacts. Microsoft explicitly states that it will expand VEX/CSAF mappings as its internal inventories complete, which is why absence of a product name in MSRC today is not proof of absence tomorrow.

Put plainly: Azure Linux = confirmed attested carrier. Other Microsoft kernels/images = unverified until attested or inspected

• Microsoft’s attestation gives Azure Linux customers a fast, high‑confidence remediation path.
• However, Microsoft distributes many Linux kernel‑derived artifacts (WSL2 kernels, linux‑azure kernels for some VM SKUs, Marketplace images, AKS node images, appliances, and embedded vendor images). Whether those artifacts include this TI UDMA code is an artifact‑level property that depends on kernel version, backports, and build configuration. Until Microsoft publishes a VEX attestation for those artifacts or you verify artifacts directly, treat them as “unknown” rather than “not affected.” Several expert analyses have made the same interpretation of MSRC wording.

---

Short, direct answer to the user’s question​

No — Azure Linux is not necessarily the only Microsoft product that could include the affected open‑source library. Microsoft has publicly attested only Azure Linux so far; that attestation is authoritative for Azure Linux but is not proof that other Microsoft‑distributed kernels or images are free of the TI UDMA code. Until Microsoft extends its VEX/CSAF attestations or you perform artifact‑level checks on other Microsoft‑provided images, treat other Microsoft artifacts as unverified and subject to verification.

---

Practical impact and risk profile​

Severity and exploitability

• The defect is an availability/robustness issue (kernel NULL dereference), not an immediate remote code execution or privilege escalation vector by design.
• Attack vector is local: an attacker or buggy driver code that triggers the udma_probe path or forces allocation failure could precipitate an oops/panic. In cloud or multi‑tenant contexts, any kernel panic on a host can carry outsized operational risk.

Scoring differences

• Different trackers and vendors may list different CVSS scores for the same kernel CVE; for CVE‑2025‑38138 published CVSS mappings vary by vendor (some vendor feeds list medium to high availability impact scores). Use vendor advisories and your threat model — not any single score — for prioritization.

Exposure surface

• Only kernels that include drivers/dma/ti/k3-udma.c (or vendor backports of the TI UDMA code) are potentially affected.
• Many images never enable vendor‑specific DMA drivers (for example generic cloud images on x86 may not compile in TI SoC drivers used on embedded ARM systems), so the global exposure is narrower than for generic networking or crypto bugs — but that makes artifact inspection even more critical: do not assume absence by default.

Operational consequences

• For impacted hosts, symptoms will be kernel oopses / panics at device probe time or during initialization of the TI UDMA controller.
• The practical remediation is an updated kernel or an appropriate vendor backport; in some environments the operational work will be to rebuild images, update Marketplace artifacts, or redeploy AKS node pools.

---

How to verify whether your Microsoft artifacts are affected (artifact‑level checklist)​

Because Microsoft’s public attestation covers Azure Linux only at the time of the advisory, follow this checklist to determine exposure in your estate.

• Inventory images and kernels you run that are provided by Microsoft
• Azure Linux VM images
• Linux‑Azure kernels used in some Azure VM SKUs
• Azure Marketplace images (Microsoft and publisher images)
• AKS node images / node pools
• WSL2 kernel images distributed by Microsoft to Windows clients
• Any Microsoft‑distributed container base images or appliances that bundle a kernel
• Use your image registry metadata, SBOMs, and the Microsoft VEX/CSAF feed if configured to automate this step. Microsoft has begun publishing VEX attestations for Azure Linux and intends to expand coverage; subscribe to the VEX/CSAF feed for automation.
• On a candidate host, verify whether the TI UDMA driver exists in the running kernel
• Check for the driver file and symbols:
• ls /lib/modules/$(uname -r)/kernel/drivers/dma/ti/ || true
• grep -R "k3-udma" /lib/modules/$(uname -r) || true
• Inspect the kernel config:
• zgrep CONFIG_TI.*UDMA /proc/config.gz || zgrep CONFIG_DMAENGINE /proc/config.gz
• If /proc/config.gz doesn’t exist, check /boot/config-$(uname -r)
• If the driver is absent and the kernel config does not enable it, that host is almost certainly Not Affected for this specific TI UDMA defect. If the driver is present (built‑in or as a module), proceed to the next checks. (These are the artifact‑level checks you must run; the attestation alone is not a full substitute.)
• Search logs for symptoms or signatures of udma_probe crashes
• dmesg | grep -i -E "udma|k3-udma|udma_probe|k3_udma" || true
• journalctl -k | grep -i -E "kernel panic|oops|udma|k3-udma" || true
• Crash traces will typically reference drivers/dma/ti/k3-udma.c in their stack frames if the bug was triggered. These traces are reliable detection signals.
• Map kernel versions to fixed commits
• Upstream fix landed in the 6.16-rc1 window (see linux‑cve‑announce) and the specific commits are published in the kernel stable repository. If your kernel version is equal to or newer than the stable release that includes the listed stable commits, it is likely fixed; otherwise, check whether your vendor has backported the patch. Do not assume older LTS kernels are vulnerable — some vendors may have backported the fix.
• For WSL2 and client‑side kernels
• Windows ships a WSL2 kernel image and Microsoft publishes WSL kernel updates separately. If you rely on WSL2, confirm the shipped kernel version and whether the WSL kernel image includes the TI UDMA driver (rare on x86 Windows clients but worth verifying if you deploy WSL on ARM devices). If necessary, update WSL via the Microsoft Store or the WSL update channels and verify the kernel config.
• Use automated scanning and SBOM comparison
• If you maintain SBOMs for images or host artifacts, scan them for the presence of drivers/dma/ti/k3-udma.c or for specific kernel versions listed by the kernel CVE team. Where Microsoft publishes VEX/CSAF attestations for a product, consume those feeds to automate marking Known Affected / Not Affected statuses for Azure Linux artifacts.

---

Prioritized remediation and mitigation guidance​

• For Azure Linux customers (highest priority)
• Apply Microsoft’s published kernel updates for Azure Linux immediately. Microsoft’s attestation shows Azure Linux images include the implicated upstream code and are therefore potentially affected; that makes Azure Linux the highest‑priority remediation path. Subscribe to Microsoft’s VEX/CSAF feeds and the Azure Linux security advisories to automate patch rollout.
• For other Microsoft‑distributed images (WSL, Marketplace, AKS, linux‑azure)
• Treat these artifacts as unverified until attested. Do the artifact‑level checks listed above and:
• For Marketplace images and AKS node pools: rotate to patched image SKUs and redeploy node pools where an affected kernel is present.
• For WSL: update the WSL kernel package and verify the kernel config. If necessary, block or schedule WSL update rollouts in controlled ways.
• For linux‑azure kernels used in special VM SKUs: verify kernel version and vendor advisories for backports; plan upgrades where necessary.
• For enterprise distributions and vendor kernels
• Watch vendor advisories from Red Hat, SUSE, Oracle, Debian, and others: vendors will publish fixed package versions and, where appropriate, backports for enterprise LTS kernels. Use distribution package management or vendor firmware/package updates to install fixed kernels. Several vendors have already recorded the CVE and listed package updates; consult vendor advisories for your platform.
• Interim mitigations (if immediate full patching is impossible)
• Isolate workloads that require TI UDMA hardware, if practical.
• Use host‑level monitoring and crash detection to detect and auto‑revert or fail over hosts that experience kernel oopses during boot or device initialization.
• Where possible, disable the module (modprobe -r) or blacklist it (echo "blacklist k3-udma" > /etc/modprobe.d/blacklist-k3-udma.conf) for images that do not need the driver. NOTE: This is an operational workaround only and may break device functionality; test before deploying.

---

Detection, hunting, and telemetry guidance​

Hunt for the canonical signatures of this bug:

• Kernel messages referencing k3‑udma or udma_probe in stack traces.
• Boot‑time crashes on hosts with TI UDMA hardware or images compiled for TI SoCs.
• Kernel oops text containing references to drivers/dma/ti/k3-udma.c.

Useful commands:

• dmesg | grep -iE "k3-udma|udma_probe"
• journalctl -k -o short-iso | grep -iE "k3-udma|udma_probe|k3_udma"
• rpm -q --changelog kernel | grep -i "CVE-2025-38138" (or equivalent dpkg/aptz parsing) to find vendor changelog annotations.
• Search your image registry SBOMs for the relevant kernel version or module path.

Telemetry strategy

• Add a high‑confidence detection rule in host EDR/OS telemetry to flag kernel oops strings that reference the TI UDMA driver; route such detections to on‑call remediation and automated host quarantine or replacement policies. Combine this with image level scanning so infected images are replaced before redeployment.

---

Strengths and limitations of Microsoft’s VEX/CSAF attestation approach​

Strengths

• Actionable signal for Azure Linux customers: Microsoft’s targeted attestation reduces noise and gives Azure Linux users a single, high‑confidence fix path to follow, which accelerates remediation at scale.
• Machine‑readable automation: VEX/CSAF enables automated triage tooling to mark Known Affected/Not Affected statuses for a product once Microsoft publishes attestations.

Limitations / risks

• Phased coverage is not exhaustive: Microsoft’s rollout began with Azure Linux; Microsoft explicitly reserves the right to update CVE mappings as inventories expand. That means other Microsoft artifacts remain unverified until attested; customers must not read the absence of a product name as proof of safety. This is a frequent point of confusion for operational teams and vulnerability managers.
• Artifact variance makes blanket claims impossible: A given source file in the upstream kernel tree may be present in some compiled images but not others, depending on kernel version and CONFIG_* flags selected at build time. Effective mitigation requires artifact‑level verification and SBOM or image metadata coverage.

---

Recommended checklist for security teams (summary)​

• Prioritize: Patch Azure Linux images first (Microsoft has attested them).
• Inventory: Enumerate Microsoft‑supplied images/kernels you run and mark them as Known Affected / Not Affected / Unknown. Use SBOMs and image metadata.
• Verify binaries: On any untrusted or un‑attested Microsoft artifact, check for the TI UDMA driver presence and search logs for udma_probe traces.
• Patch or replace: Apply vendor backports or upgrade kernels; redeploy images where necessary. Where patching is not immediately feasible, apply mitigations (blacklist module, isolate hardware, increase monitoring).
• Subscribe: Consume Microsoft’s VEX/CSAF feed and vendor advisories so future attestations automatically update your triage status.

---

Final analysis — what to take away​

CVE‑2025‑38138 is a classic kernel hardening correction: a missing NULL check that could lead to a kernel NULL‑pointer dereference under allocation failure. The upstream fix is small and uncontroversial. Microsoft’s public statement and VEX rollout provide an important and useful attestation for Azure Linux customers — but the crucial nuance is that Microsoft attested Azure Linux because that product was inventory‑checked first. That attestation is authoritative for Azure Linux, but it is not a proof that other Microsoft products are free of the same upstream code. Security teams must therefore combine Microsoft’s VEX/CSAF signals with artifact‑level verification, SBOM checks, and vendor advisories to obtain comprehensive coverage across their fleets.
The concrete next steps for any administrator reading this piece are clear: patch Azure Linux images now; run the artifact checks outlined here for WSL, Marketplace/AKS images, linux‑azure kernels, and any Microsoft‑distributed artifacts you run; and consume the VEX/CSAF feed to reduce manual triage work going forward. The technical fix is simple, but the operational work — inventory, verification, and coordinated patching — is the real task.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center