CVE-2025-38162 Explained: Azure Linux Attestations and Per Artifact Risk

Microsoft’s concise MSRC wording that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate for the product it names — but it is a product‑scoped attestation, not a guarantee that no other Microsoft product ever shipped the same vulnerable upstream kernel code.

---

Background / Overview​

CVE‑2025‑38162 is a Linux‑kernel bug in the netfilter nftables implementation — specifically the nft_set_pipapo code path — where a multiplication used to compute the lookup table allocation size could overflow, producing unchecked allocations and possible allocator warnings or failures. Upstream kernel maintainers patched the code to add integer‑overflow checks, clamp bucket sizes and use safer allocation flags to avoid excessive allocations. The technical fix and the metadata for the CVE are recorded in the usual public trackers and kernel stable trees. Microsoft’s Security Response Center (MSRC) published an advisory mapping that upstream component to a Microsoft product: the advisory explicitly states that Azure Linux includes the implicated open‑source library and is therefore potentially affected. Microsoft also notes that it began publishing machine‑readable CSAF/VEX attestations in October 2025 and will update the CVE entry if additional Microsoft products are identified as carriers of the same code. That procedural language is deliberate: it means Microsoft has completed an inventory for Azure Linux and published its result; it does not assert exclusivity for all Microsoft SKUs.

---

What the vulnerability actually is (technical summary)​

• Component: net/netfilter — the nft_set_pipapo implementation used by nftables (pipapo sets provide compact set/bitmap‑style matching for some rules).
• Fault: unchecked arithmetic when deriving lookup table (lt) size: multiplications and additions used to compute required memory could overflow, leading to incorrect sizes and unsafe allocations.
• Fix: the upstream patch adds explicit overflow checks (check_mul_overflow/check_add_overflow), clamps bucket counts to safe maxima, consolidates checks into helper routines and changes allocations to account‑aware GFP flags where appropriate.

Practical result: the bug is a kernel robustness/availability issue. In worst cases it can trigger WARN_ON_ONCE in kernel allocator paths or cause allocation failures which lead to functional errors in the nftables subsystem. It is not described as an immediate remote code‑execution primitive in the public advisories; exploitability hinges on local or privileged code paths that exercise nftables’ pipapo set resizing. Independent trackers (Debian, Ubuntu, Oracle, Amazon Linux and OSV/NVD) map the CVE into their package advisories and have published fixes or backports for affected kernel branches.

---

Parsing Microsoft’s wording: attestation vs exclusivity​

The exact meaning of “Azure Linux includes … and is therefore potentially affected”​

Microsoft’s phrasing is best read as two linked statements:

• A product inventory attestation: Microsoft inspected Azure Linux (the distribution) and found the implicated upstream component in that product’s build(s); therefore Azure Linux images are in scope for remediation and are marked as “potentially affected” in Microsoft’s machine‑readable VEX/CSAF outputs.
• A procedural commitment: Microsoft has started publishing CSAF/VEX attestations (October 2025) and will update CVE records if its internal inventories discover the same component in additional Microsoft products. In other words, Microsoft isn’t promising exclusivity — it’s promising transparency as it completes additional product inventories.

Why that matters operationally​

A vendor attestation answers the narrow question: “Has the vendor confirmed that Product X includes Component Y?” It does not answer: “Is Product X the only vendor product that ever included Component Y?” Large vendors ship many artifacts, and each artifact’s build configuration, kernel version and packaging determine whether the upstream code appears. Absence of another product from Microsoft’s VEX/CSAF output is absence of attestation — not proof the component can’t be present elsewhere. Multiple independent assessments have emphasized that nuance and Microsoft’s published VEX process itself documents the phased, product‑by‑product rollout.

---

Is Azure Linux the only Microsoft product that could be affected?​

Short answer: No — not necessarily. Azure Linux is the only Microsoft product Microsoft has publicly attested (so far) to include the affected nftables pipapo code for CVE‑2025‑38162, but other Microsoft artifacts that ship or run Linux kernels could also include the same upstream code depending on kernel version and build configuration. Treat the Azure Linux attestation as an authoritative “yes” for Azure Linux and treat other Microsoft images as unverified until you confirm their kernel provenance or Microsoft expands its VEX/CSAF attestations.
Why that is true:

• Presence of the vulnerable code is a per‑artifact, build‑time property. Two kernels built from the same upstream commit can differ dramatically depending on CONFIG_* flags (built‑in vs module vs omitted) and selective vendor backports.
• Microsoft publishes and maintains multiple Linux artifacts: Azure Linux (CBL‑Mariner lineage), linux‑azure kernel variants used in some VM images, the WSL2 kernel that ships with Windows, Marketplace VM images, AKS node images, and other appliance images. Each artifact is produced by separate pipelines and therefore requires independent inventory.
• Any Microsoft product that ships a Linux kernel binary built from an upstream range predating the upstream fix — and that has the pipapo set enabled in its kernel config — is a plausible carrier until proven otherwise.

---

Cross‑verification: what independent trackers show​

To avoid relying solely on vendor statements, the CVE and technical fix were checked against independent sources:

• The National Vulnerability Database (NVD) entry and kernel commit notes summarize the overflow checks and allocation changes.
• Distribution trackers (Debian security tracker, Ubuntu advisories) list package versions, affected kernel trees and fixed releases; they independently mapped the CVE into distro kernels and published fixed packages/backports.
• OSV and other vulnerability databases contain cross‑references to the kernel stable commits that implement the fix, confirming the patch contents (overflow checks and allocation flag changes).

These independent records corroborate the technical description and remediation path; they also demonstrate that multiple mainstream vendors have shipped patches, making the issue primarily one of timely package/kernel updates in deployed artifacts.

---

Practical exposure model — who must worry​

You only need to care about CVE‑2025‑38162 for a Microsoft artifact if, for that artifact, two independent conditions are true:

• The artifact uses a Linux kernel built from an upstream commit range that predates the upstream fix (i.e., your kernel’s version or vendor changelog shows it lacks the fix).
• The kernel build includes the nft_set_pipapo code (either built‑in or as a module). Kernel configuration (CONFIG_NFT_PIPAPO or similarly named flags) determines whether the pipapo set is present.

Concrete examples of Microsoft artifacts that should be treated as potentially in scope until verified:

• Azure VMs running official Azure Linux images (attested by Microsoft) — act immediately on Microsoft’s guidance.
• Windows hosts running WSL2 that use Microsoft’s distributed WSL kernel binary — verify the WSL kernel version and config; WSL kernels are independently maintained and can include many netfilter features.
• Azure Marketplace images or partner appliances that ship their own Linux kernels (these are separate artifacts and must be checked per image).
• AKS node pools that use Azure Linux container host images or other Microsoft-managed node images — those node images are an explicit surface for kernel vulnerabilities.

---

Step‑by‑step artifact verification (runbook)​

For every image or host you run that is supplied by Microsoft or relies on a Microsoft‑shipped kernel, perform the following checks. These are practical, reproducible steps you can automate.

• Confirm the kernel version and vendor:
• uname -r
• Check the kernel package/changelog to map whether the upstream fix was applied.
• Check whether the pipapo code is present:
• Inspect running modules: lsmod | grep -i pipapo
• Query module info (if present): modinfo nft_pipapo || modinfo nftpipapo*
• Inspect kernel configuration for the running kernel:
• zgrep NFT_PIPAPO /proc/config.gz || grep NFT_PIPAPO /boot/config-$(uname -r)
• If /proc/config.gz is absent, examine the kernel package or the image’s /boot/config-*.
• Offline image/kernel inspection:
• Extract kernel artifacts from marketplace images and examine /boot/config-* or the .config used to build the kernel.
• Cross‑reference vendor advisories and changelogs:
• Consult the distribution/vendor security tracker to identify which kernel versions include the fix (Debian, Ubuntu, Amazon Linux, Oracle Linux trackers provide fixed versions).

If the kernel is vulnerable and you cannot immediately upgrade, consider mitigation steps such as disabling the pipapo set (if unused) or restricting which code paths and users can create or manipulate nftables pipapo sets. Many environments will find the correct fix is to apply the vendor kernel update and reboot.

---

Recommended operator playbook (prioritized)​

• For Azure Linux images: apply Microsoft’s published kernel/package updates immediately. Azure Linux is the product Microsoft has attested as affected and Microsoft publishes VEX/CSAF data for it.
• Inventory other Microsoft artifacts in your estate (WSL2, AKS node pools, linux‑azure kernels, Marketplace images) and automate the verification runbook above against each artifact. Treat artifacts as “unknown” until verified.
• Automate consumption of Microsoft’s CSAF/VEX outputs so any future attestations for other Microsoft products are ingested into your triage pipelines immediately. Microsoft has documented its VEX rollout and encourages automation.
• For images you maintain or third‑party Marketplace appliances you use, obtain the kernel provenance from the vendor and verify whether the build includes the pipapo set and whether the kernel includes the upstream fix.
• Where vendors can’t patch quickly, consider compensating controls (limit untrusted execution of nftables operations, limit unprivileged user capabilities, restrict container images that might manipulate the host networking stack).

---

Strengths and risks of Microsoft’s approach​

Notable strengths​

• Product‑scoped transparency: Microsoft’s CSAF/VEX rollout (starting with Azure Linux) gives operators an authoritative, machine‑readable signal for the product families that have been inventoried. That deterministic attestation is a practical win for automated triage.
• Procedural commitment: Microsoft explicitly commits to expanding VEX/CSAF attestations and updating CVE records if additional products are discovered to include the component. That provides a predictable path for improved coverage over time.

Potential risks and limitations​

• Phased rollout = temporary “unknowns”: Publishing attestations one product at a time inevitably leaves many Microsoft artifacts in an unattested state for the near term. Customers cannot assume those artifacts are safe simply because they are not yet listed.
• Per‑artifact variability: Kernel inclusion depends on build config and backports. A WSL2 kernel, a linux‑azure kernel, and an Azure Linux image could differ; automation and inventory are required to avoid blind spots.
• Operational burden for large estates: Organizations that mix vendor images, marketplace appliances and Windows hosts with WSL may face a high verification workload until VEX coverage expands.

---

When a single‑sentence vendor attestation is misleading — and how to avoid being misled​

Vendor statements like “Product X includes library Y and is therefore potentially affected” are a critical advance in transparency, but they can be misread. The correct operational interpretation is:

• If the vendor names a product, that product is confirmed to include the component and should be prioritized for remediation.
• If the vendor does not name a product, that absence means only that the vendor hasn’t finished inventorying that product — it does not mean the product is safe.

Treat vendor attestations as authoritative positives and non‑attestations as unknowns. Until a product is attested as Not Affected or Fixed, perform the artifact verification checklist or rely on the vendor’s future VEX/CSAF updates.

---

Conclusion​

Microsoft’s MSRC entry for CVE‑2025‑38162 correctly calls out Azure Linux as a Microsoft product that “includes this open‑source library and is therefore potentially affected.” That message is authoritative and actionable for Azure Linux customers and is part of Microsoft’s broader initiative to publish CSAF/VEX attestations beginning in October 2025. However, that attestation is deliberately product‑scoped. The presence of the vulnerable nft_set_pipapo upstream code is a per‑artifact, build‑time property. Any Microsoft product or image that ships a Linux kernel built from a vulnerable upstream range and includes the pipapo set in its kernel config is a plausible carrier until proven otherwise. Therefore, no operational team should assume Azure Linux is the only Microsoft product that could be affected — treat it as the first confirmed product and verify every other Microsoft‑supplied Linux artifact in your estate using the runbook above.
Actionable next steps (one‑line checklist):

• Patch Azure Linux images immediately.
• Inventory WSL kernels, linux‑azure kernels, AKS node images and Marketplace appliances; verify kernel version/config and presence of pipapo.
• Automate ingestion of Microsoft’s CSAF/VEX attestations and vendor distro advisories so you receive expansions of Microsoft’s attestations as soon as they’re published.

Where claims about other Microsoft products’ status are not yet published by Microsoft, those remain unverified until Microsoft’s VEX/CSAF outputs or your artifact inspections prove otherwise. Treat “not listed” as “not yet attested,” not as “safe.”

---

---

Source: MSRC Security Update Guide - Microsoft Security Response Center