Windows Subsystem For Linux "WSL" Updated For A Yet-To-Be-Public Security Vulnerability
([Microsoft] 5 Hours Ago
WSL 2.5.10)
- Reference: 0001567284
- News link: https://www.phoronix.com/news/Microsoft-WSL-2.5.10
- Source link:
Microsoft today released an updated version of Windows Subsystem for Linux "WSL" that allows running Linux binaries atop Windows 11. There is only one change noted and it's for a yet-to-be-public security vulnerability.
It looks like next week Microsoft will be making public a heavy-hitting WSL security vulnerability that they have gone ahead to release the new version of WSL in advance while confirming the CVE security disclosure details will be made public on 12 August. That date also happens to be this month's Patch Tuesday.
The [1]WSL 2.5.10 release issued minutes ago simply states:
"Fixed CVE-2025-53788 (Details to be published on Aug 12th)"
When digging into [2]the commit for the open-source changes of WSL 2.5.10, it notes:
"Switch wslinfo --vm-id to not rely on presence of VM ID environment variable (#13318)
* Switch WSLg to use wslinfo --vm-id instead of relying on environment variable
* DO NOT MERGE: bad WSLg nuget
* dead code removal
* always send response to LxInitMessageQueryVmId message
* add back invalid WslInfoMode error
* remove unneeded wsl2 check
* use temporary workaround until WSLg update is ready
* unit test update
* Update string compare"
This is the first time I have seen a new WSL open-source release in advance of Microsoft making the CVE security bulletin public. We'll learn more about the WSL security vulnerability next Tuesday.
Update: [3]WSL 2.6.1 is also out now with a fix for CVE-2025-53788 among other fixes.
[1] https://github.com/microsoft/WSL/releases/tag/2.5.10
[2] https://github.com/microsoft/WSL/commit/642331364dda7a3d88bf64acb87e7056918a5fc9
[3] https://github.com/microsoft/WSL/releases/tag/2.6.1
It looks like next week Microsoft will be making public a heavy-hitting WSL security vulnerability that they have gone ahead to release the new version of WSL in advance while confirming the CVE security disclosure details will be made public on 12 August. That date also happens to be this month's Patch Tuesday.
The [1]WSL 2.5.10 release issued minutes ago simply states:
"Fixed CVE-2025-53788 (Details to be published on Aug 12th)"
When digging into [2]the commit for the open-source changes of WSL 2.5.10, it notes:
"Switch wslinfo --vm-id to not rely on presence of VM ID environment variable (#13318)
* Switch WSLg to use wslinfo --vm-id instead of relying on environment variable
* DO NOT MERGE: bad WSLg nuget
* dead code removal
* always send response to LxInitMessageQueryVmId message
* add back invalid WslInfoMode error
* remove unneeded wsl2 check
* use temporary workaround until WSLg update is ready
* unit test update
* Update string compare"
This is the first time I have seen a new WSL open-source release in advance of Microsoft making the CVE security bulletin public. We'll learn more about the WSL security vulnerability next Tuesday.
Update: [3]WSL 2.6.1 is also out now with a fix for CVE-2025-53788 among other fixes.
[1] https://github.com/microsoft/WSL/releases/tag/2.5.10
[2] https://github.com/microsoft/WSL/commit/642331364dda7a3d88bf64acb87e7056918a5fc9
[3] https://github.com/microsoft/WSL/releases/tag/2.6.1
JMB9