An unpatched Azure Linux 3.0 server can be taken over remotely — no password, no insider access required. In a cloud environment, kernel-level compromise of one host can enable an attacker to access workloads, data, and credentials hosted on that system, with potential to move laterally to adjacent cloud resources. Depending on what those systems process, the result can range from service outages and data loss to regulatory breach notification obligations.
You Are Affected If
You run Microsoft Azure Linux 3.0 with the azl3 kernel package at version 6.6.130.1-3 in production
You run any Linux distribution on upstream kernel 6.6.x (including Red Hat or SUSE systems with published advisories for this CVE)
The affected system is internet-accessible or reachable from a multi-tenant network segment without kernel-level exploit mitigations
MPTCP (Multipath TCP) is enabled on the affected kernel (default or configured)
You have not applied the Microsoft April 2026 Patch Tuesday azl3 kernel update or the equivalent vendor errata for your distribution
Board Talking Points
A critical flaw in our Azure Linux 3.0 server software allows a remote attacker to take full control of affected systems with no login credentials required.
We should apply the vendor-released patch to all affected systems within 24-48 hours; a controlled reboot is required and should be scheduled immediately.
Unpatched systems remain fully exposed to remote takeover, which could result in data loss, service outages, or a breach requiring regulatory notification.
