Note: short answer up front
- No — Azure Linux is not technically the only Microsoft product that could include the vulnerable upstream code, but it is the only Microsoft product Microsoft has publicly attested (via CSAF/VEX) as including the affected open‑source component at the time of the advisory.
Executive summary (TL;DR)
- Microsoft’s public attestation for CVE-2025-37877 names Azure Linux (azl3 kernels / CBL‑Mariner lineage) as a product that “includes this open‑source library and is therefore potentially affected.” That attestation is authoritative for Azure Linux images and kernel artifacts Microsoft has finished inventorying.
- Microsoft explicitly committed to expanding these CSAF/VEX attestations if additional Microsoft products are discovered to ship the same upstream component; therefore the product list can grow after the initial publication.
- Other Microsoft‑distributed Linux kernel artifacts (notably WSL2’s Microsoft‑maintained kernel, CBL‑Mariner artifacts beyond the Azure Linux images, linux-azure kernels, Marketplace images and custom images) may include the same upstream code depending on kernel version and kernel build configuration. Those artifacts should be considered “potentially affected” until proven otherwise by artifact-level verification.
- Operational recommendation: treat the MSRC attestation as an authoritative “yes” for Azure Linux and remediate those images immediately; at the same time, inventory and verify other Microsoft-supplied kernel artifacts (WSL, Marketplace images, CBL‑Mariner images, AKS node images, linux‑azure builds) in your environment using artifact-level checks. Automate ingestion of Microsoft’s CSAF/VEX outputs to detect changes.
Microsoft’s phrasing — “Azure Linux includes this open‑source library and is therefore potentially affected” — is a product‑scoped inventory attestation. Vendors increasingly publish CSAF (advisory) and VEX (attestation / affected status) artifacts that explicitly say, for a particular product family, whether that product is Known Affected, Not Affected, Fixed, or Under Investigation. When Microsoft says Azure Linux “includes” the upstream library, they are reporting the result of the mapping they completed for that product family at that point in time. That is authoritative for that product family, but it is not a proof that other Microsoft‑distributed artifacts do not contain the same upstream component.
Put another way:
- “Azure Linux is listed” = Microsoft found and validated the component in that product and published a VEX/CSAF attestation (act now if you run Azure Linux).
- “Azure Linux only (no other Microsoft product can possibly be affected)” = not what Microsoft stated and not implied by a partial inventory. Absence of mapping for other Microsoft products is absence of evidence, not evidence of absence.
Two independent, build‑time/runtime facts determine exposure for this class of Linux kernel CVE:
- Kernel code version / commit range. The product must ship a kernel built from an upstream commit range that contains the vulnerable code (i.e., pre‑fix upstream commit). If the vendor backported the fix into the same semantic version, the shipped kernel might already be fixed — this is why mapping commits or package changelogs matters.
- Kernel configuration (CONFIG_* flags) and module packaging. Many kernel subsystems (netfilter/conntrack, DRM, specific device drivers, wireless subsystems, etc. are optional at build time. Even if the shipped kernel version falls into the vulnerable upstream range, the attack surface exists only if the kernel was compiled with the subsystem enabled (built-in or as a module) and the relevant module is present/loaded at runtime.
What Microsoft actually published for CVE-2025-37877 (and where)
- Microsoft published CSAF/VEX attestations beginning in October 2025 and for this CVE they explicitly listed Azure Linux (azl3 kernels) as a Known Affected product family. The VEX/CSAF entry lists specific Azure Linux and CBL‑Mariner kernel artifacts as known affected and provides a machine‑readable product mapping. Microsoft also recorded “no fix available” status for the specific kernel artifacts at the time of that attestation.
Does Microsoft’s statement mean only Azure Linux is at risk? — full explanation
- Short answer: No. Microsoft’s statement means “Azure Linux is a Microsoft product that Microsoft has already verified includes the upstream component,” and therefore Azure Linux customers should consider it confirmed‑in‑scope. However, Microsoft also stated it will update the CVE/VEX record if other Microsoft products are discovered to ship the same upstream component. That implies additional Microsoft products might be affected and will be added as inventory work completes.
- Why other Microsoft artifacts could plausibly be affected:
- Microsoft builds and distributes multiple Linux kernel artifacts: Azure Linux (azl3), CBL‑Mariner derivatives, the WSL2 kernel distributed with Windows, linux‑azure kernels used in some Marketplace or boot images, and kernel packages in Marketplace images and other Microsoft‑distributed images. Any of those artifacts could include the same upstream component depending on the kernel commit used and the kernel config flags selected at build time.
- WSL2 is a particularly visible example: Microsoft maintains the WSL2 kernel sources publicly and ships a Microsoft‑maintained kernel binary for many Windows users; some WSL kernel builds historically included many netfilter/iptables features (and recent WSL kernel releases expanded module support). If a given WSL kernel release uses an upstream range that predates the fix and includes the affected subsystem, that particular WSL kernel instance is potentially affected. Conversely, if the WSL kernel config did not enable the subsystem, WSL would not be affected — it’s per-build.
- Important nuance: Microsoft’s initial attestation selection is an operational choice, not a technical guarantee that all Microsoft kernels are clean. The attestation is the output of a phased inventory program: start with the product family that is easiest to inventory (Azure Linux) and expand outward. Customers must therefore treat that attestation as an authoritative signal for Azure Linux but should independently verify other artifacts they run.
- Primary impact is local/availability in many kernel CVEs of this type (e.g., memory leak, denial of service, kernel oops). The exploitation vector is often local (unprivileged or low‑privilege user), and the practical risk is highest in multi‑tenant or shared environments (cloud VMs hosting untrusted containers, CI runners, developer workstations with untrusted code), where attackers can exercise local interfaces or container-bound device nodes.
- For Azure customers running Azure Linux images, treat the MSRC attestation as a direct actionable signal: patch (or apply updated Azure images) as Microsoft publishes them. For other Microsoft artifacts (WSL, Marketplace images, CBL‑Mariner hosts), prioritize artifact‑level inventory and verification before assuming “not affected.”
- Identify the running kernel and package:
- uname -a
- cat /etc/os-release
- Check kernel config for the relevant subsystem (example commands — substitute the subsystem names for your CVE context):
- If /boot/config-$(uname -r) exists:
grep -E 'NF_CONNTRACK|CTNETLINK|CONNTRACK|DRM|KCM' /boot/config-$(uname -r) - Otherwise (if /proc/config.gz exists):
zcat /proc/config.gz | grep -E 'NF_CONNTRACK|CTNETLINK|CONNTRACK|DRM|KCM' - Check whether modules are present or loaded:
- lsmod | egrep 'nf_conntrack|ctnetlink|drm|msm|amdgpu|ntfs3'
- modinfo nf_conntrack (if present in modules tree)
- Map the kernel version/artifact to vendor advisories:
- Compare uname output and package version to the vendor’s advisory or CSAF/VEX product mapping. For Microsoft‑published attestations, ingest the VEX/CSAF JSON and check the product_tree/product_ids Microsoft lists for Known Affected or Under Investigation.
- WSL2 check (Windows hosts):
- wsl -l -v (then open a distro and run uname -r inside it)
- If you are using the Microsoft‑provided WSL kernel, check the WSL kernel release tag and the GitHub repo config for the shipped kernel to determine if the subsystem was enabled in that build.
- For Azure Linux images that Microsoft lists as Known Affected: prioritize Microsoft’s published kernel/OS updates or new images. Microsoft’s VEX/CSAF attestations and the Security Update Guide are the authoritative signals for when fixes are available. Patch and reboot affected systems as soon as a tested update is available.
- For other Microsoft artifacts (WSL, Marketplace images, CBL‑Mariner hosts, linux-azure kernels):
- Inventory all Microsoft-provided kernel artifacts in your environment (Windows clients with WSL, AKS node images, Marketplace VM images, custom images coming from Microsoft marketplace).
- For each artifact, perform the verification steps above (kernel version/commit mapping + kernel config/module presence).
- If an artifact is in the vulnerable commit range and the subsystem is enabled, treat it as in‑scope and apply the appropriate vendor or custom patch (rebuild with the upstream fix when necessary).
- If immediate patching is impossible:
- Reduce local attack surface: restrict access to device nodes (e.g., /dev/dri, /dev/net/*), tighten container privileges (drop CAP_SYS_ADMIN, block module insertion), restrict which groups can access device nodes, and remove device passthrough from untrusted guests. Monitor kernel logs for OOPS or error signatures named in vendor/distro writeups.
- Ingest Microsoft’s CSAF/VEX JSON artifacts programmatically into your vulnerability orchestration (SOAR, vulnerability manager). Microsoft’s VEX files are machine readable and encode which Microsoft products and product components are Known Affected, Not Affected, Under Investigation, or Fixed — they are intended to be consumed by automation. Automating this reduces the chance you miss a later expansion of Microsoft’s attestation scope.
- Automate artifact-level checks in your fleet: collect uname, kernel config (where available), and module lists; compare against a list of fixed kernel versions/commits produced by upstream or distros; flag hosts that match “vulnerable commit range + subsystem enabled.”
- Microsoft’s public statement and CSAF/VEX rollout approach is to publish product-specific attestations as inventory work completes. Microsoft explicitly said it began publishing CSAF/VEX in October 2025 and that it will update CVE entries to add additional Microsoft products if they are later identified as shipping the same upstream component. That means the list of Microsoft products mapped to a CVE can expand over time; teams should watch MSRC/VEX outputs for updates.
- Practically, when Microsoft finds a product is affected, it will update the CSAF/VEX document and the Security Update Guide entry (and will publish guidance on remediations/patch availability). Azure Linux was the initial product keyed to the attestation because it is Microsoft’s published Linux distribution artifact family and is straightforward to inventory and attest.
Q — “If Microsoft hasn’t listed WSL or other products, am I safe?”
A — Not automatically. If you run WSL or other Microsoft kernel artifacts, verify the running kernel build and config. Microsoft’s attestation is the authoritative “yes” for Azure Linux; absence of a mapping for other products is not proof they are safe — it means they haven’t yet been completed in the vendor’s inventory.
Q — “What counts as proof a host is safe?”
A — Host‑level evidence: (a) running kernel with vendor package changelog that lists the upstream fix commit or a package version that the vendor lists as fixed, or (b) kernel config showing the vulnerable subsystem is not compiled in. Those are the deterministic checks.
Q — “Can a WSL or Azure Marketplace image be patched automatically like Azure Linux VMs?”
A — Azure Linux images and vendor kernel packages will be patched via their normal distribution/update mechanisms. WSL kernel updates are distributed by Microsoft via Windows/WSL update channels; Marketplace images depend on the image publisher and may require different update procedures. Inventory and follow the vendor’s remediation guidance per artifact.
Caveats and unverifiable claims (what I could not prove from vendor attestations)
- I can cite Microsoft’s attestation for Azure Linux and their statement that they will update product mappings if additional Microsoft products are found to include the component. That is documented in Microsoft’s VEX/CSAF attestation. What I cannot prove for your specific estate without your artifact data is which WSL, Marketplace, or other Microsoft-supplied kernel binaries you actually run and whether they include the vulnerable subsystem. Those are host/artifact-level facts you must verify using the commands above.
- For Azure Linux (MS‑attested as Known Affected): apply Microsoft’s kernel/image updates as published; schedule reboots and validate after update.
- Inventory all other Microsoft kernel artifacts in your environment (WSL hosts, Marketplace VM images, AKS node images, CBL‑Mariner hosts).
- For each artifact/host, run the verification checks (uname, kernel config, lsmod/modinfo).
- If the artifact is running a kernel in the vulnerable commit range and the subsystem is enabled, patch to the vendor update (or rebuild/apply the upstream fix) and reboot.
- Ingest Microsoft’s CSAF/VEX artifacts into your automation so you receive updates when Microsoft expands the product mapping.
- Microsoft’s CSAF/VEX attestation and product mapping for CVE-2025-37877 (MSRC Security Update Guide / VEX JSON) — Microsoft listed Azure Linux kernel artifacts in the product tree and marked specific kernel artefacts as Known Affected / None_available remediations at the time of the attestation.
- Independent operational analysis and community guidance summarizing the meaning of Microsoft’s wording, the phased nature of VEX/CSAF rollouts, and practical artifact verification steps. These underscore that Azure Linux is the product Microsoft mapped so far, and that other Microsoft kernel artifacts are plausible additional carriers pending artifact verification.
- Produce a 1‑page runbook with the exact shell commands and parsing rules (grep/awk/jq) you can feed into your automation to inventory your fleet for this CVE and to cross‑map kernels to Microsoft’s VEX product IDs.
- If you paste uname -r and, where available, /boot/config-$(uname -r) or ls /lib/modules/$(uname -r)/output from a small set of representative hosts, I will analyze them and tell you whether those specific hosts are likely fixed or still vulnerable.
- Watch the MSRC VEX/CSAF for this CVE and alert you if Microsoft updates the mapping to include additional Microsoft products.
- Azure Linux is the only Microsoft product Microsoft has currently attested as including the affected open‑source component for CVE‑2025‑37877. That makes Azure Linux a confirmed in‑scope product you should remediate immediately. However, other Microsoft‑distributed kernels (WSL2, CBL‑Mariner artifacts, linux‑azure, Marketplace images) could also include the same upstream code depending on kernel version and build config — they must be verified at the artifact level; absence from Microsoft’s initial attestation does not prove absence of the vulnerable code.
Source: MSRC Security Update Guide - Microsoft Security Response Center
