CVE-2025-38153 AQC111 Driver: Azure Linux Attestation and Exposure

The upstream Linux kernel fix for CVE-2025-38153 patches a correctness bug in the AQC111 USB Ethernet driver that failed to validate the byte count returned by usbnet read calls — a small coding lapse with outsized operational implications for any system that actually loads and uses the aqc111 driver. Microsoft’s short public guidance on the CVE — which says only that “Azure Linux includes this open‑source library and is therefore potentially affected” — is accurate as far as it goes, but it is not a technical guarantee that no other Microsoft product can include the same vulnerable code. That distinction — attestation versus exclusivity — is the key operational takeaway for administrators and security teams assessing exposure in Microsoft-supplied artifacts.

Background / Overview​

CVE-2025-38153 was assigned to a defect in the Linux kernel driver for the AQC111 family of USB Ethernet adapters. The fault is an error‑handling and initialization problem: the usbnet helper may return fewer bytes than expected, and the driver did not always validate that the full amount had been read before using the data — which in practice can leave MAC address fields (and other sensitive structures) partially or uninitialized and trigger sanitizer warnings or undefined behavior. Upstream kernel maintainers committed fixes and published backports for supported stable kernel lines. Public vulnerability trackers and vendor security feeds recorded the advisory and the available kernel patches.
Why this matters in practice

• The bug is a kernel‑level robustness issue: improperly initialized kernel structures can produce unpredictable behavior, KMSAN warnings, and stability problems on hosts that actually use the affected driver.
• Attack surface and exploitability are local rather than remote: an attacker needs a path to exercise the driver (for example, by attaching or emulating an affected USB Ethernet device, or by local code that interacts with the device driver).
• The public CVSS and vendor scores vary by tracker and the assumptions used; many vendors placed the issue in the medium–high availability risk range for affected kernels.

---

What Microsoft actually said — and what it means​

Microsoft’s Security Response Center (MSRC) has used a concise product‑level phrasing for a set of Linux kernel CVEs in 2025: “Azure Linux includes this open‑source library and is therefore potentially affected.” That language is an authoritative inventory attestation for Azure Linux: Microsoft examined the Azure Linux distribution artifacts, confirmed the vulnerable upstream component was present in the builds it inspected, and therefore Azure Linux images are a confirmed remediation target. Microsoft has also publicly committed to publishing machine‑readable CSAF/VEX attestations and to update CVE mappings as it completes inventory across other product families.
Important clarifications

• vity. Saying “Product X includes component Y” is not the same as saying “No other product includes component Y.” The MSRC text confirms presence in Azure Linux; it does not — and practically cannot — prove absence in every other Microsoft artifact.
• Phased rollout. Microsoft’s CSAF/VEX program began with Azure Linux and is being expanded product-by-product. The absence of an attestation for a specific Microsoft product today is an absence of attestation, not proof the product is clean. Microsoft has stated it will update CVE entries and VEX/CSAF attestations if additional products are discovered to ship the same upstream code.

---

Short answer to the user’s question​

No — Azure Linux is not necessarily the only Microsoft product that can include the implicated open‑source library and be potentially affected. It is the only Microsoft product Microsoft has publicly attested (so far) to include the vulnerable aqc111 component for CVE‑2025‑38153, and that attestation is authoritative for Azure Linux builds Microsoft inspected. However, other Microsoft‑distributed kernel images, Marketplace images, appliance kernels, and the WSL2 kernel could conceivably carry the same upstream source code depending on build timing, kernel version, kernel configuration (whether the driver is built-in or available as a module), and whether downstream backports or fixes were applied. Until those artifacts are inventoried and attested, treat them as unverified rather than proven clean.

---

Technical verification and cross‑checks​

To be confident about exposure you must verify three concrete, artifact‑specific facts for each Microsoft‑provided image or kernel you run:

• Kernel version / commit range. Does the binary include a kernel tree that predates the upstream fix? Upstream and stable trees show which commits contain the correctedistro trackers map those to package versions.
• Kernel configuration. Was the aqc111 driver compiled into the kernel or preserved as a loadable module? A source file in the tree is not sufficient evidence of exposure unless the driver was enabled in the build and is actually loadable.
• Runtime usage. Is the driver loaded and does the runtime environment actually present a device or I/O path that exercises the vulnerable code? If the device is simply present in source but never built or never attached at runtime, practical exposure may be zero.

Cross‑reference the kernel package versions and the upstream patch commits: public trackers and patch repositories list the exact commits and the stable backports; confirm your artifact’s kernel package maps to one of the fixed releases or contains the relevant patch. Several independent vulnerability trackers and Linux distribution advisory pages list patched kernel snapshots and the commit IDs that resolve CVE‑2025‑38153.

---

Where else to look inside Microsoft’s product portfolio​

Azure Linux being named first is not surprising — it was an early target of Microsoft’s VEX/CSAF rollout — but Microsoft publishes and distributes many distinct kernel artifacts and images that are plausible carriers if they used an affected kernel snapshot:

• Azure Marketplace VM images (if they include Microsoft‑supplied kernel packages).
• linux‑azure or other Azure‑tuned kernel builds used by certain VM SKUs.
• WSL2 kernel binaries Microsoft ships with Windows (the WSL kernel source is publicly published and is a separate build artifact).
• AKS node images or Azure node pool images if they are built from Microsoft’s Azure Linux or related kernel artifacts.
• Curated Marketplace images and partner appliances where Microsoft supplies or rebuilds a kernel.
• Any internally produced appliance or management image that embeds a Linux kernel build.

Each of those is a distinct artifact that must be checked independently. The fact that Microsoft attested Azure Linux does not imply any of the above are safe — they are simply different build artifacts that may or may not include the vulnerable driver depending on build history.

---

Practical steps for administrators and security teams​

If you operate Microsoft‑supplied images, follow a targeted, evidence‑driven remediation workflow rather than assuming “safe” or “unsafe” based solely on MSRC wording.

• Prioritize Azure Linux images
• Treat Microsoft’s Azure Linux attestation as an authoritative signal: apply Microsoft’s recommended kernel updates or vendor-supplied patches for Azure Linux immediately. Use vendor-supplied packages or image replacemen. Inventory other Microsoft artifacts
• Enumerate kernels across your estate that were supplied or built by Microsoft: WSL kernel binaries, Marketplace images, AKS node images, and linux-azure kernels.
• Record exact kernel package names, version numbers, and build provenance — do not rely on high-level product names alone.
• Confirm presence of aqc111 or vulnerable commit
• For each artifact: check if the aqc111 module exists (for example, search the /lib/modules/<kernel-version>/tree for aqc111 or run modinfo aqc111 on a running system).
• If you have the kernel image, inspect its build config (zcat /proc/config.gz or the vendor-supplied config) for CONFIG_USB_NET_AQC111 or similar flags. If the module is absent or the driver is disabled, practical exposure is unlikely.
• Map kernel versions to upstream patches
• Use the upstream commit IDs and stable backports listed in public advisories to determine whether the kernel contains the fix. Vendor advisories and distribution trackers list exact package-to-patch mappings for CVE‑2025‑38153.
• Patch, mitigate, or isolate
• Apply vendor‑supplied kernel updates where available.
• If patching immediately is not possible, consider temporary mitigations:
• Unload or blacklist the aqc111 module on hosts that do not need the device.
• Avoid attaching affected USB Ethernet devices to production hosts if feasible.
• Use host-level controls (device authorization, USB device whitelisting) to prevent untrusted USB NICs from being enumerated.
• Monitor and validate
• After applying updates, confirm the kernel package version, module checksum, or the presence of the upstream fix commit in your deployed kernel binaries.
• Watch vendor attestations (MSRC’s CSAF/VEX feed) for updates that explicitly add other Microsoft products to the affected mapping. Microsoft stated it will update CVE entries if additional products are identified.

---

Detection guidance and signals to look for​

• KMSAN/KASAN warnings in dmesg or kernel logs may surface when uninitialized or partially initialized data is accessed; several public analyses noted KMSAN warnings in repros of the aqc111 bug. If you’re using sanitizer builds in development or telemetry, such traces are strong indicators the driver path is exercising the problematic code.
• Presence of the aqc111 kernel module in /lib/modules for your kernel version or modinfo output indicates the driver is available and could be loaded at runtime.
• Device enumeration logs: kernel messages that show USB Ethernet device binds to aqc111 are an immediate runtime signal of potential exposure.
• Vulnerability scanners that match kernel package versions to CVE mappings: several scanners and vendor advisories have plugin rules for CVE‑2025‑38153; use those as a first pass but verify artifacts manually when possible.

---

Risk and impact: a pragmatic view​

• Realistic attack surface: Because the defect is in a device driver and requires the driver to be present and exercised, real world exploitation requires a local or guest‑level capability or the ability to present a malicious USB Ethernet device. That lowers the blast radius compared with a network‑facing remote service bug, but it is not negligible in multi-tenant or shared-host environments where device pass‑through is permitted.
• Operational impact: the primary risk reported by vendors is availability (kernel warnings, panics, or instability) and memory‑safety diagnostics (KMSAN). Some trackers also classified it with higher impact ratings depending on their scoring assumptions. Defenders should prioritize remediation in environments that allow USB devices, attach removable media, or host untrusted VMs that can present virtual USB devices.

---

Why vendor attestations are useful — and why they are not an exhaustive safety net​

Large vendors understandably publish product‑level attestations: they are actionable, machine‑readable, and make remediation prioritization easier for customers who run the named product. Microsoft’s CSAF/VEX rollout — starting with Azure Linux and committing to expand coverage — is an example of this approach in action. These attestations are valuable because they assign a clear remediation priority to a concrete product family. ([microsoft.com](You asked, we delivered: Introducing new features for an improved security experience, the operational reality of modern software supply chains is this:

• Vendors ship many distinct binary artifacts and kernel builds.
• The same upstream file or driver can appear in different artifacts depending on build time and configuration.
• A vendor attestation that names one product cannot prove absence in every other product the vendor ships.

For these reasons, security teams must combine vendor attestations with artifact‑level verification and inventory rather than treating an attestation as a global verdict.

---

Recommended operational checklist (summary)​

• If you run Azure Linux images: prioritize installing the vendor-supplied kernel update for CVE‑2025‑38153 immediately.
• Inventory Microsoft-sourced kernels in your estate (WSL, Marketplace, AKS nodes, linux-azure) and capture exact kernel package names and versions.
• For each kernel artifact: check if aqc111 is present and whether the kernel version includes the upstream fix (map to commits/backports listed by kernel.org and vendor trackers).
• If you cannot patch immediately: blacklist/unload the aqc111 module and prevent untrusted USB devices from being attached to sensitive hosts.
• Monitor MSRC’s evolving CSAF/VEX attestations and the vendor advisories for updates that add additional Microsoft products to the affected mapping.

---

Conclusion​

CVE‑2025‑38153 is a kernel driver correctness bug that was fixed upstream; its practical exposure depends entirely on whether a deployed artifact actually includes and runs the affected aquc111 driver. Microsoft’s public statement that Azure Linux includes the implicated open‑source library and is therefore potentially affected is authoritative for Azure Linux images and should be treated as a high‑priority remediation signal. However, that sentence is not a proof that other Microsoft products are unaffected — it is a product‑scoped inventory attestation, not an exclusivity guarantee. The defensible, operational posture is simple: patch Azure Linux immediately if you run it, inventory and verify other Microsoft-supplied kernels and images you use, and treat un‑attested artifacts as unverified until you can confirm they either include the fix or do not ship the vulnerable driver. This combined approach — vendor attestation plus artifact verification — is the only reliable way to contain kernel-level supply‑chain risk in modern, mixed Linux estates.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center