CVE-2025-38204: Linux JFS Bounds Fix and Azure Linux Attestation

The Linux kernel patch for CVE-2025-38204 closes an array-index-out-of-bounds read in the JFS filesystem implementation’s add_missing_indices routine — a correctness fix that prevents a malformed on-disk structure from producing an out-of-bounds read and a potential kernel crash. Microsoft’s MSRC page for this and many recent kernel CVEs includes the stock FAQ language that “Azure Linux includes this open‑source library and is therefore potentially affected,” which is an authoritative product-level attestation for Azure Linux builds Microsoft has inspected. However, that wording is deliberately scoped: it confirms what Microsoft has checked and attested, not that no other Microsoft product could possibly include the same upstream JFS code. In short: Azure Linux is the only Microsoft product Microsoft has publicly attested so far for this issue, but it is not a technical guarantee of exclusivity — other Microsoft-distributed kernel artifacts may remain unverified until specifically inventoried and attested or otherwise inspected. ]

---

Background / Overview​

JFS (Journaled File System) is an in-tree Linux filesystem with long history and maintained support in many kernels. On July 4, 2025 the Linux kernel CVE team assigned CVE-2025-38204 after upstream maintainers added a bounds check to prevent the stbl field — an s8 value — from being used to index offsets that can range up to 127. The fix returns -EIO on malformed values and ensures jfs_readdir returns an error when add_missing_indices fails, preventing reads past the end of arrays and the kernel instability those reads can cause. The upstream announcement listing the fixed commits and the stable-kernel targets is public in the standard linux-cve-announce channel and in downstream advisories.
Why this matters: an array-index-out-of-bounds read is a correctness issue that commonly surfaces as kernel oopses, possible information leakage of kernel memory, or crashes depending on the calling context, kernel hardening, and how the corrupted or crafted on-disk data is presented to the system. For JFS, the typical exploit model requires an attacker or untrusted party to supply a malformed filesystem image, or for a compromised image or disk to be mounted; therefore exposure is usually local to systems that mount JFS images or accept JFS-formatted block devices from untrusted sources.

---

What Microsoft actually said — reading the MSRC wording​

Microsoft’s Security Response Center (MSRC) CVE entries for many Linux-kernel CVEs include a short FAQ answer when asked: “Is Azure Linux the only Microsoft product that includes this open‑source library and is therefore potentially affected by this vulnerability?” That answer points to two facts:

• Microsoft inspected and attested that Azure Linux contains the implicated upstream component (making Azure Linux a Known Affected product for that CVE), and
• Microsoft has begun publishing machine‑readable CSAF/VEX attestations (a phased rollout that started in October 2025) and will update CVE entries when additional Microsoft products are identified as affected. ([archive.ph](https://archive.ph/2025.12.05-20281...com/update-guide/vulnerability/CVE-2025-38709
  Two important readings of that wording:
• Attestation (what Microsoft did): Microsoft has run inventorying or provenance checks over the Azure Linux distribution builds and found the upstream JFS code sequence that maps to CVE-2025-38204. That is an authoritative, actionable signal for customers running Azure Linux images: apply Microsoft’s kernel updates or image vendor guidance.
• Non-exclusivity (what Microsoft did not say): Microsoft did not assert that no other Microsoft product or artifact could include the same upstream code. Their phrasing is product-scoped — it tells you what was checked, not what was not checked. Treat absence of an attestation elsewhere as absence of attestation, not proof of absence of the vulnerable code.

This same pattern appears across multiple MSRC CVE pages for different Linux-kernel CVEs; the FAQ text is repeated as part of their CSAF/VEX rollout messaging. The practical effect is that Microsoft gives you a high-confidence remediation target (Azure Linux) while signaling that further inventory work is ongoing.

---

Technical anatomy of CVE-2025-38204 (brief, verifiable)​

• Affected component: Linux kernel JFS filesystem code, file fs/jfs/jfs_dtree.c (add_missing_indices).
• Symptom: an s8-typed stbl value was interpreted as an offset into a slot array where offsets may be 0–127; without bounds checking this can produce an out‑of‑bounds read. The fix adds a bounds check and returns -EIO on error; jfs_readdir propagates the failure.
• Fix timeline: patches were merged into multiple stable branches (5.4.295, 5.10.239, 5.15.186, 6.15.4, and 6.16-rc1) — the upstream stable commits are documented in the CVE announcement thread. If you maintain custom kernels or long‑lived distribution kernels, check whether those branches have been backported.
• Severity and exposure: tracked as a high-severity kernel correctness issue in some trackers (CVSS ~7.0 in vendor trackers), but exploitation requires local access to mount or present JFS-formatted data; the predominant operational risk is denial-of-service or kernel instability rather than easy remote code execution.

Cross-check: the upstream linux-cve-announce message, NVD/CVE pages, and at least one major distribution advisory (Ubuntu/ALAS/CVE trackers) independently confirm the same technical facts — commit IDs, fixed branches, and mitigation guidance — making the technical claims verifiable across multiple sources.

---

Is Azure Linux the only Microsoft product that includes JFS and is therefore potentiallwams: No — not necessarily. Long answer: Azure Linux is the only Microsoft product Microsoft has publicly attested (so far) to include the implicated JFS code for CVE‑2025‑38204, and Microsoft’s published CSAF/VEX files and CVE FAQ language reflect that attestation. That attestation is authoritative and actionable for Azure Linux customers. However, because Microsoft distributes many different kernel-based artifacts and imagketplace VM images, “linux-azure” kernels, AKS node images, container base images, and curated appliances — any of those artifacts could include the same upstream JFS code depending on the kernel version, the kernel configuration used at build time (whether CONFIG_JFS is enabled), and whether the upstream fix was backported into the particular kernel snapshot used to produce that artifact. Until Microsoft or your own inventory tooling attests a product as Not Affected, treat un‑attested Microsoft artifacts as unverified exposure.​

Why that distinction matters: vendors commonly roll out VEX/CSAF attestations in phases. The presence of a JFS code path i does not automatically mean every Microsoft artifact includes it — but it does mean you cannot rely on silence to prove safety across your estate. You must either consume Microsoft’s VEX/CSAF attestations where available, or run artifact-level verification to reduce unknowns to knowns.

---

Practical, prioritized guidance for administrators and security teams​

Below is a concise playbook that converts the attestation language into an operational plan. Prioritize actions by exposure and the criticality of the affected hosts.

• Prioritize Azure Linux images (immediate)
• If you run Azure Linux images or nodes, treat Microsoft’s attestation for Azure Linux as a confirmed, high-priority remediation target. Apply Microsoft's published kernel updates, replace affected images with patched images, anpdates require it. Use Microsoft’s VEX/CSAF artifacts (where available) to automate triage of Azure Linux instances.
• Inventory all Microsoft-provided artifacts (24–72 hours)
• Enumerate and inventory every Microsoft-distributed kernel artifact that runs in your environment:
• WSL2 kernels and WSL distributions provided via Microsoft updates.
• Azure Marketplace VM images you consume.
• AKS node images and nodepool definitions.
• linux-azure or other Azure-tuned kernel builds.
• Microsoft container base images and curated appliance images.
• For each artifact, determine:
• Kernel version and exact build (uname -a, /boot/config-<version>, /proc/config.gz).
• Whether CONFIG_JFS is built-in or available as a module (grep CONFIG_JFS /boot/config-<version> or look under /lib/modules/<version>/kernel/fs/jfs). If JFS is not present, the artifact cannot be vulnerable for this CVE.
• Use VEX/CSAF wherever provided (automate)
• Ingest Microsoft’s machine-readable VEX/CSAF feeds for the Microsoft products you run (the Azure Linux feed is the first and best-covered). VEX files provide deterministic “Known Affected,” “Not Affected,” “Under Investigation,” or “Fixed” annotations for specific product artifacts and can be used to automate remediation workflows. Miing these attestations in October 2025 and will expand coverage over time.
• Artifact-level verification (if no VEX attestation exists)
• When a VEX/CSAF entry is not available for a Microsoft product you run, verify artifact contents:
• For VMs/containers: inspect /boot/config-<version>, the module tree (/lib/modules/<version>), and package metadata to confirm whether JFS code is present.
• For WSL2: check the distributed kernel version and kernel configuration that Microsoft shipped for your WSL image.
• For Marketplace images and AKS node images: either consult the image SBOM (if provided) or extract the kernel and inspect its configuration.
• If the artifact includes JFS and the kernel version predates the fix or lacks the fixed commits/backports, treat it as affected and remediate by updating, rebuilding, or replacing the artifact.
• Detection and compensating controls
• Monitor kernel logs for JFS-specific oopses or errors referencing add_missing_indices or jfs_dtree.c; such signatures in logs indicate you may have run into malformed JFS on-disk data.
• If you cannot immediately patch, restrict who may mount untrusted block devices or images. Avoid automated mounts of external images until they are validated or the host is patched.
• Document and govern
• Record findings in your vulnerability management system, annotate whether each Microsoft artifact is Known Affected / Not Affected / Under Investigation, and retain evidence (kernel config, module presence, SBOMs).
• Subscribe to MSRC VEX/CSAF feeds and relevant distro advisories so you can automate updates when Microsoft expands attestations to additional product families.

---

How to verify quickly: a short checklist for sysadmins​

• On a Linux host or VM:
• Check kernel config: grep CONFIG_JFS /boot/config-$(uname -r) or zgrep CONFIG_JFS /proc/config.gz
• Check module presence: ls /lib/modules/$(uname -r)/kernel/fs/jfs
• Searchops traces or messages referencing add_missing_indices or jfs_dtree.c
• For WSL2 instances:
• Inspect the WSL2 kernel version and the kernel config shipped by Microsoft for that WSL release.
• For immutable images (Marketplace, AKS nodes, containers):
• Extract the kernel or consult the image SBOM; if missing SBOMs, treat the image as Under Investigation until you can validate the kernel config.

If JFS is absent in the kernel config or build artifacts, the artifact cannot be vulnerable for CVE‑2025‑38204; if JFS is present and the kernel predates the fixed commits or lacks the backport, remediate.

---

Critical analysis — strengths, gaps, and risengths of Microsoft’s approach​

• Actionable attestation: Microsoft’s product-level attestation for Azure Linux gives customers a clear, authoritative remediation target and enables automation through CSAF/VEX. That helps with urgent triage and rapid patching of known affected instances.
• **Transparency commitmene-readable VEX/CSAF attestations is a best-practice for large vendors; it makes it easier for customers and automated tools to know what the vendor has checked and what remains in scope.

Gaps and operational risks

• Phase-by-phase coverage leaves residual unknowns: Microsoft’s rollout is product-by-product. Until WSL kernels, Marketplace images, AKS node images, and other artifacts receive explicit attestations, defenders must perform artifact-level discovery — an operational burden that can delay full remediation in large estates. Absence of an attestation is not proof of absenct surface area:** Microsoft ships many kernel-based artifacts. The same upstream JFS code can be compiled into different kernels at different times and with different kernel configs. That multiplicative artifact surface makes automated, exhaustive inventory difficult without SBOMs and VEX coverage.
• Potential for late backporting ambiguity: Distributors sometimes backport fixes into long‑lived vendor kernels without changing the mainline version string. Relying only on kernel version numbers (e.g., “6.x”) without validating whether the vendor backported the specific commit can lead to false negatives in triage. Always verify patched commit IDs or vendor advisories.

Operational recommendation (risk posture): treat Microsoft’s Azure Linux attestation as a confirmed priority. At the same time, assume other Microsoft artifacts are unknown and perform targeted scanning and verification on any artifact that could plausibly mount JFS data or run JFS drivers. Do not assume "not listed = safe."

---

Whatect from vendors and what to demand​

• Expect vendors to continue rolling out product-by-product VEX/CSAF attestations; track the VEX feed and subscribe for updates to the CVE mapping the vendor provides. Microsoft has publicly committed to updating CVE entries if additional products are identified as carriers.
• Demand artifacthere possible: SBOMs for Marketplace images, explicit kernel build metadata for WSL kernels, and machine-rer curated images. These materially reduce the workload for defenders and improve response time.
• When vendor attestations are absent, require image provenance or insist on the ability to rebuild images with fixed kernels as part of a remediation SLA.ment and concrete next steps
• The Microsoft MSRC statement for CVE‑2025‑38204 is accurate and authoritative for Azure Linux: Microsoft inspected Azure Linux builds and attested that the upstream JFS code implicated by the CVE is present there. Azure Linux customers should patch per Microsoft guidance without delay. (ubuntu.com)
• That attestation does not mean Azure Linux is the only Microsoft artifact that could include the vulnerable JFS code. Other Microsoft-supplied kernels and images may still carry the vulnerable code until they are individually attested or inspected. Treat un‑attested artifacts as unknown and verify them proactively.
• Practical next steps (summary):
• Patch Azure Linux images immediately using Microsoft’s updates.
• Inventory Microsoft-supplied kernels and images in your estate and verify presence/absence of JFS.
• Ingest Microsoft CSAF/VEX feeds for automation and monitoring of attestation changes.
• Where VEX is absent, perform artifact-level verification (kernel config, module tree, SBOM) and remediate aCVE-2025-38204 is a textbook example of why vendor attestations are valuable and why product-scoped wording must be read carefully: the attestation tells you what has been checked; it does not absolve you of verification duties elsewhere in your environment. Treat Microsoft’s Azure Linux attestation as the starting point in your triage — not the finish line.

---

Appendix: Quick reference (what to check on a host)​

• Kernel config: grep CONFIG_JFS /boot/config-$(uname -r) or zgrep CONFIG_JFS /proc/config.gz.
• Module presence: ls /lib/modules/$(uname -r)/kernel/fs/jfs.
• Kernel version vs. fixed commits: compare the kernel’s upstream commit snapshot against the commit IDs listed in the linux-cve-announce message (the stable commits that contain the fix).
• Microsoft attestation: consult MSRC CVE page and VEX feed for product-level status (Azure Linux Known Affected/Fixed).

Conclusion: patch Azure Linux now, inventory the rest, automate with VEX/CSAF where possible, and treat missing attestations as "not yet verified" rather than as safety guarantees.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center