Microsoft has published a security advisory for a kernel memory leak that can silently drain system memory on Azure Linux systems utilizing Precision Time Protocol (PTP) one-step hardware timestamping. The flaw, tracked as CVE-2025-38148, stems from a missing cleanup in the MSCC PHY PTP driver and can, over time, lead to memory exhaustion, degraded performance, or out-of-memory conditions. A fix has been merged into multiple stable Linux kernel branches and is available through Azure Linux update channels.
The vulnerability itself is not a remote code execution or privilege escalation vector; rather, it presents a local availability risk that matters most in long-running, timing-sensitive environments. Yet its presence in Microsoft's own Linux distribution makes it a noteworthy item for anyone running Azure Linux VMs or managing hybrid cloud infrastructure.
What Actually Changed
The core issue lies in the kernel's MSCC PHY PTP driver (drivers/net/phy/mscc/mscc_ptp.c). When a network interface uses one-step timestamping—a PTP mode where the NIC hardware inserts the transmit timestamp directly into the outgoing frame—the driver is supposed to release the socket buffer (skb) immediately after handing the packet to the hardware. Normal two-step timestamping releases the skb upon receiving a completion interrupt, but in one-step mode that interrupt never arrives, so a well-behaved driver must free the skb without waiting.
The MSCC driver failed to do that. Frames sent with one-step timestamping lingered in kernel memory indefinitely because the driver kept a reference that would never be cleared. Under sustained traffic, this leak accumulates, silently increasing the kernel's memory footprint. The fix is a single, targeted change: when one-step mode is active, the driver now frees the skb right away. The patch does not alter PTP semantics for any other mode and poses minimal regression risk.
Upstream, the fix landed in stable kernel branches 6.1.142, 6.6.94, 6.12.34, 6.15.3, and 6.16-rc1, as well as in vendor backports. The vulnerability was introduced around the 5.9 kernel development line. In its advisory, Microsoft notes that Azure Linux is currently the only Microsoft product confirmed to be affected, though the company will update the CVE if additional impact is found.
What It Means for You
For Azure Linux Administrators
If you run Azure Linux virtual machines—particularly those that use PTP for precise time synchronization or that expose hardware timestamping to workloads—this leak can gradually degrade host memory health. Systems that handle frequent, timestamped network transmissions (e.g., financial trading platforms, telecom virtualization, industrial IoT gateways) are at highest risk of noticeable impact. The local attack vector means an attacker would need to already have code execution on the system to trigger the leak repeatedly, but even normal, legitimate usage could cause the memory to grow over weeks or months.
For IT Professionals Managing Mixed Environments
Many organizations run Windows alongside Linux VMs in Azure. While Windows itself is not vulnerable, any Azure Linux instances under your purview need patching. The same goes for on-premises or edge devices that run custom Linux images based on the Azure Linux kernel tree. Check whether your Linux workloads depend on PTP and whether the MSCC PHY driver is loaded. Even if you do not actively use PTP, updating is the safest path.
For Developers of Time-Sensitive Applications
If your application relies on hardware timestamping for distributed systems, the memory leak can introduce unpredictable performance hiccups. As kernel memory pressure grows, the OOM killer may terminate critical processes. Applying the patch ensures your latency-sensitive services maintain consistent resource profiles.
For General Windows Users
This CVE does not affect Windows hosts or the Windows operating system. The advisory from Microsoft is about Azure Linux, the company's own Linux distribution. If you do not manage Linux VMs or Azure infrastructure, no action is required.
How We Got Here
The bug was introduced as part of the MSCC PHY PTP driver code around kernel version 5.9, but it remained dormant unless a system specifically used one-step timestamping. Because one-step mode is less common than two-step, the leak went unnoticed for some time. The upstream fix was developed and merged into stable kernel trees, and it was subsequently backported by various Linux distributors.
Microsoft's decision to publish a CVE for an open-source component used in Azure Linux reflects the company's commitment to transparency through its Common Security Advisory Framework (CSAF) and Vulnerability Exploitability eXchange (VEX) initiatives. Since October 2025, Microsoft has been issuing such detailed advisories to keep Azure Linux customers informed about risks in integrated open-source libraries. The advisory explicitly states that if other Microsoft products are found to include the vulnerable code, the CVE will be updated accordingly.
What to Do Now
-
Identify affected systems. Determine whether your Azure Linux VMs or containers run a kernel version affected by CVE-2025-38148. Look for the MSCC PHY driver (check
lsmod | grep msccor kernel config). Even if the driver is present but not actively used, patching is recommended. -
Apply updates. Microsoft's advisory points to the Azure Linux update channels. Update to the latest available kernel package for your distribution version. Reboot after the update. If you use a third-party Linux distribution derived from Azure Linux, consult that vendor's security advisories.
-
Verify the fix. Confirm that the updated kernel contains the upstream commit IDs mapped to CVE-2025-38148. The kernel changelog or the advisory's package listings will indicate this. Test timestamping functionality after the update to ensure one-step operation works as expected.
-
If immediate patching is impossible, consider these temporary mitigations:
- Disable hardware one-step timestamping on affected interfaces (useethtoolor NIC-specific tools).
- If PTP is not required, unload the MSCC PHY driver or disable PTP support altogether.
- Restrict access to PTP configuration to trusted users or containers. -
Monitor memory trends. For pre-patch systems, keep an eye on kernel memory usage (via
slabtop,vmstat, or cloud monitoring tools). An unexplained, slow rise in kernel-allocated memory could indicate the leak is active.
Outlook
CVE-2025-38148 is a textbook case of a low-complexity, operationally meaningful bug: a missing free on a valid code path that only surfaces with a specific hardware and configuration combination. Its minimal, defensive upstream fix makes it easy for vendors to backport, so admins should expect broad availability of patched kernels across major distributions. Microsoft's advisory currently limits the scope to Azure Linux, but the company may expand the CVE if other products are later found to include the vulnerable code.
The episode also underscores the importance of treating open-source components in cloud distributions with the same diligence as proprietary code. For Azure Linux users, the patch is already available, and applying it should be a straightforward maintenance task. For those in the long tail of embedded and vendor kernels, verifying that the fix reaches your specific images will be the critical next step.