Microsoft has officially acknowledged that its Azure Linux distribution contains a vulnerable open-source library affected by CVE-2025-22058, a Linux kernel flaw that can corrupt UDP memory accounting and cause denial-of-service conditions. The advisory, published on Microsoft’s Security Response Center (MSRC) portal, marks the first time the company has explicitly mapped a Linux kernel CVE to its own product family—but conspicuously omits any mention of Windows Subsystem for Linux 2 (WSL2), Azure-tuned marketplace kernels, or other Microsoft-supplied Linux artifacts. For administrators who rely on these components, the absence of an attestation is not a clean bill of health.
CVE-2025-22058 was assigned to an integer overflow in the kernel’s UDP receive-memory accounting (specifically within udp_rmem_release and related helpers). When a user application sets the SO_RCVBUF socket option to an extreme value—INT_MAX, for example—the overflow causes the kernel to misreport memory usage, leading to artificially high counters in /proc/net/sockstat that persist even after sockets close. In observed cases, the reported value spiked to 524,288 pages and could double after a forced drain, starving the system of allocatable memory and triggering packet drops. Local attackers with the ability to craft such socket calls can leverage the bug to degrade service or cause resource exhaustion on affected machines.
Linux kernel maintainers merged fixes into the upstream stable trees (branches 6.1, 6.6, 6.12, 6.13, 6.14, and 6.15), and major distributions—Amazon Linux, Debian, Red Hat, SUSE, Ubuntu—promptly backported the patches into their own kernel packages. Microsoft’s contribution is an attestation: the MSRC update states that “Azure Linux includes this open-source library and is therefore potentially affected,” and promises to update the CVE if additional products are found to carry the vulnerable code. That wording is careful and scoped: it confirms Azure Linux as a known carrier but does not assert—nor can it be read as asserting—that Azure Linux is the only Microsoft product built with the same upstream code.
What Actually Happened: The Technical Breakdown
The defect lives in the network stack’s memory accounting for UDP sockets. Linux tracks per-protocol memory consumption via udp_memory_allocated and related counters, and the release path is supposed to decrement these counters when receive buffers are freed. The integer overflow occurs when the computed release value is derived from a socket buffer size set near the maximum allowed integer. Because the arithmetic lacks proper overflow protection, the subtraction wraps to a large positive number, causing the global counter to jump instead of shrink.
Security researchers and kernel developers note that the bug can be triggered by unprivileged users—any process capable of creating a UDP socket and calling setsockopt() with extreme SO_RCVBUF values can corrupt the accounting. While it is not directly exploitable for code execution or privilege escalation, the resulting memory pressure can halt UDP traffic processing, crash network services, and make the system unresponsive to new connections.
The upstream fix introduces overflow checks and correctly clamps the release value. The stable release snapshots that incorporate the fix, as listed in the Linux CVE announcements, are:
- Kernel 6.1.140 or later
- Kernel 6.6.89 or later
- Kernel 6.12.26 or later
- Kernel 6.13.14 or later
- Kernel 6.14.3 or later
- Kernel 6.15-rc1 or later
Admins should treat any kernel older than these versions as potentially vulnerable, unless the distribution backport explicitly includes the patch. Most major Linux vendors have issued security errata with updated kernel packages for their supported releases.
What It Means for You: Audience-Specific Impact
Azure Linux Users
If you run Azure Linux virtual machines (azl kernel variants) in your environment, Microsoft’s attestation is a direct call to action. Azure Linux images are built from a curated set of open-source components, and Microsoft confirms that the vulnerable upstream code is present in those builds. You should immediately plan to apply the security updates Microsoft provides for Azure Linux, typically distributed through the Azure Linux package repositories and documented in the Azure Linux upgrade tutorial. Links to the specific azl kernel updates will be referenced in the VEX/CSAF files Microsoft publishes.
WSL2 Users on Windows
Windows Subsystem for Linux 2 ships a Microsoft-built Linux kernel (often referred to as the WSL kernel or msft WSL kernel). That kernel is updated independently from the Windows host via wsl --update or through Microsoft Store updates. Microsoft has not published an attestation for the WSL kernel regarding CVE-2025-22058, meaning the company has not yet completed an inventory of that artifact. Until an official statement or updated CSAF/VEX file appears, WSL2 users should assume the WSL kernel could include the vulnerable UDP accounting code. You can check your WSL kernel version by running uname -r inside your WSL distribution; compare it against the fixed stable versions above. If your WSL kernel predates the fix, update it immediately via wsl --update and verify the new version. Microsoft publishes release notes for the WSL kernel, but at the time of writing, no explicit mitigation for this CVE appears in those notes.
Azure Marketplace and AKS Node Pool Admins
Virtual machine images from the Azure Marketplace—especially those with “Azure-tuned” kernels—may contain a Linux kernel provided or curated by Microsoft. Similarly, node pools in Azure Kubernetes Service (AKS) can be configured with custom images or specific kernel versions. These artifacts are distinct from Azure Linux and may not be covered by the current attestation. Inventory all marketplace images and node pools in your estate, record the kernel version of each running instance, and cross-reference with the distro’s own advisory (many are based on Ubuntu, RHEL, or Debian) or with Microsoft’s published VEX/CSAF data if available. If in doubt, treat the kernel as vulnerable until you can confirm the fix.
Developers and Application Owners
Applications that intentionally or accidentally set large socket receive buffers are the direct trigger for this bug. Even if you patch the kernel, consider implementing reasonable SO_RCVBUF limits in your code—many workloads function perfectly with values well below INT_MAX. This is a practical second-layer defense that can prevent similar accounting issues in the future.
Windows Users Without WSL or Azure VMs
If you do not use WSL2 or manage any Azure Linux instances, this vulnerability does not directly affect your Windows host. However, any Windows machine with WSL2 enabled—even for casual development—carries a Linux kernel that requires the same vigilance. Enterprise desktop administrators should include WSL2 kernel versions in their endpoint compliance checks.
How We Got Here: The Timeline
CVE-2025-22058 didn’t appear overnight. The flawed accounting logic was introduced years ago during the evolution of the UDP stack’s memory management. Earlier in 2025, a researcher or developer noticed the anomalous /proc/net/sockstat values and traced them to the missing overflow check. The Linux kernel CVE team assigned the identifier and coordinated the fix with maintainers. The patch landed in Linus Torvalds’ tree and was quickly backported to stable series.
Microsoft’s involvement is tied to a broader transparency initiative. In October 2025, the company began publishing machine-readable Common Security Advisory Framework (CSAF) and Vulnerability Exploitability eXchange (VEX) documents for Azure Linux, promising to expand coverage over time. CVE-2025-22058 is one of the first Linux CVEs for which Microsoft has publicly submitted a product-scoped VEX entry, stating that Azure Linux “is therefore potentially affected.” This is a notable step for a primarily Windows-centric vendor, but it also exposes the boundaries of the current program: only products that Microsoft has actively inventoried and mapped appear in the VEX files. Everything else defaults to “unknown” unless you dig deeper.
Distributions with their own security teams—Debian, Red Hat, SUSE, Ubuntu—published advisories within days of the upstream fix. Because Azure Linux is a Microsoft-curated distribution, its users rely on Microsoft for patch delivery rather than the upstream distro directly. The delay between the upstream fix and Microsoft’s attestation was minimal, but the gap remains for other Microsoft artifacts.
What to Do Now: A Practical Checklist
-
Inventory all Microsoft-supplied Linux kernels in your estate. Include: Azure Linux VMs, Azure Marketplace images with “Azure-tuned” kernels, AKS node pools, WSL2 installations on Windows clients and servers, and any container images published by Microsoft. If it runs a kernel and came from Microsoft, list it.
-
Verify kernel versions for every instance. Run
uname -rand compare against the fixed stable versions above or your distributor’s advisory. For WSL2, useuname -rinside the WSL environment; the output will look like5.15.146.1-microsoft-standard-WSL2. Check Microsoft’s WSL kernel release notes for the corresponding upstream base version. -
Patch Azure Linux immediately. Follow Microsoft’s Azure Linux upgrade guidance and apply the azl kernel security updates. Use your standard patch management pipeline—yum, dnf, or Azure Update Manager—to deploy the fixed kernel.
-
Update WSL2 via
wsl --update. Open PowerShell or Command Prompt as administrator and runwsl --update. Optionally, runwsl --update --web-downloadif you want the latest kernel from Microsoft’s servers. After updating, restart your WSL distributions and confirm the new kernel version withuname -r. -
Patch other Linux instances according to the distributor. For Ubuntu on Azure, install the
linux-azurekernel update from the Ubuntu security advisory. For Red Hat, apply the RHSA-released kernel. For SUSE, zypper patch. Amazon Linux customers refer to Amazon’s advisory. Each vendor’s package manager will pull the fixed kernel. -
Apply a temporary mitigation when immediate patching isn’t possible. Constrain
SO_RCVBUFin your applications. You can enforce limits via system-widesysctlcontrols likenet.core.rmem_max, but the most effective immediate step is to review application code and configuration to ensure socket buffer sizes are not set absurdly high. Most server workloads never need values beyond a few megabytes. -
Request formal attestation for uncovered Microsoft artifacts if your compliance demands it. Open a support ticket through the Azure portal or your Microsoft account team, asking for a VEX/CSAF mapping for the specific product (e.g., “WSL2 kernel” or “Azure Marketplace Ubuntu image with Azure-tuned kernel”). Microsoft has stated it will update CVEs when additional carriers are identified; proactive customer pressure can accelerate that process.
Outlook: What to Watch Next
Microsoft’s nascent CSAF/VEX program is still finding its footing in the Linux ecosystem. The company has publicly committed to expanding the scope beyond Azure Linux, but no firm timeline exists. For now, every CVE that touches the Linux kernel will force admins to play a game of kernel-version hopscotch across Microsoft’s product portfolio. While the upstream and distribution response to CVE-2025-22058 was swift, the real test will be whether Microsoft can consistently deliver timely attestations for all the Linux artifacts it ships—WSL2, Azure-tuned kernels, container base images—or whether these second-tier products remain in an extended shadow inventory.
If you run WSL2 or manage hybrid Linux environments on Azure, set up a recurring job to collect kernel versions from all machines and feed them into your vulnerability scanner. The sooner you have a complete picture, the sooner you can close this particular gap. And if you rely on Microsoft to explicitly tell you when WSL2 is safe, it might be time to open a support request. The patch is already out there; the missing piece is Microsoft’s acknowledgement.