Known vulnerabilities detected on Windows container images

[pjanotti]

Hi, we run anchore/Grype against the container images that we release and we've noticed several known vulnerabilities coming from the base image. Below are the results of a scan of mcr.microsoft.com/windows/servercore:ltsc2025:

NAME     INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS           RISK          
7-Zip    21.07      24.09     binary  CVE-2025-0411        �[38;5;203mHigh�[0m      40.3% (97th)   76.1   �[1;7;38;5;198m KEV �[0m  
7-Zip    21.07      22.01     binary  CVE-2023-31102       �[38;5;203mHigh�[0m      35.5% (96th)   27.2          
7-Zip    21.07      24.07     binary  CVE-2024-11477       �[38;5;203mHigh�[0m      33.0% (96th)   25.3          
7-Zip    21.07      23.00     binary  CVE-2023-40481       �[38;5;203mHigh�[0m      2.6% (84th)    2.0           
7-Zip    21.07      24.01     binary  CVE-2023-52169       �[38;5;203mHigh�[0m      0.2% (36th)    0.1           
SQLite   3.43.2     3.49.1    binary  CVE-2025-3277        �[1;38;5;198mCritical�[0m  0.1% (31st)    0.1           
7-Zip    21.07      24.08     binary  CVE-2024-11612       �[38;5;178mMedium�[0m    0.1% (32nd)    < 0.1         
SQLite   3.43.2     3.50.2    binary  CVE-2025-6965        �[1;38;5;198mCritical�[0m  < 0.1% (23rd)  < 0.1         
SQLite   3.43.2     3.49.1    binary  CVE-2025-29087       �[38;5;203mHigh�[0m      < 0.1% (18th)  < 0.1         
7-Zip    21.07      25.00     binary  CVE-2025-53816       �[38;5;203mHigh�[0m      < 0.1% (13th)  < 0.1         
7-Zip    21.07      25.00     binary  CVE-2025-53817       �[38;5;203mHigh�[0m      < 0.1% (10th)  < 0.1         
7-Zip    21.07      25.01     binary  CVE-2025-55188       �[38;5;36mLow�[0m       < 0.1% (2nd)   < 0.1         

All 7-Zip ones are for a single dll:

/Files/Windows/WinSxS/amd64_windows-senseclient-service_31bf3856ad364e35_10.0.26100.4768_none_43cb7db83f4f3973/7z.dll

For the SQLLite issues there are 2 flavors of the same dlls causing the issue:

/Files/Windows/SysWOW64/winsqlite3.dll
/Files/Windows/System32/winsqlite3.dll

Since these vulnerabilities are being reported on the latest Windows 2025 ServerCore I would like to know if there is a plan to update these files or if the Windows container team recommends any procedure regarding these vulnerabilities.

[github-actions]

Thank you for creating an Issue. Please note that GitHub is not an official channel for Microsoft support requests. To create an official support request, please open a ticket here. Microsoft and the GitHub Community strive to provide a best effort in answering questions and supporting Issues on GitHub.

[pjanotti]

I'm not sure if this is a support case, but, it doesn't look it should be a new security issue because the vulnerabilities are well known. It will be good for users of Windows docker images if Microsoft provided some guidance for this issue.

[akarshm]

Thanks for reaching out, @pjanotti! We update the Windows Server container images with the latest security fixes every Patch Tuesday - the most recent update was pushed to Microsoft Artifact Registry on October 14 (see here). These images are continuously scanned using Defender for Containers, and no known vulnerabilities have been detected. It’d be great if you could pull the latest image and check if the issue still shows up on your end.

[pjanotti]

Thanks for the update @akarshm. Many of the vulnerabilities in the initial report were resolved. I was able to remove many of the suppressions from our scan, see diff here. Some vulnerabilities still remain but they are all reported as low risk:

 Downloads $ grype.exe mcr.microsoft.com/windows/servercore:ltsc2025
 ✔ Loaded image                                                                                                         mcr.microsoft.com/windows/servercore:ltsc2025
 ✔ Parsed image                                                                               sha256:d2be4b0d11c6888914777bf9fcaa3384ac1eedc2ae20860b052ea2cd1394d5d1
 ✔ Cataloged contents                                                                                aa413f246a2bad7ccb1adb187049d9c8de272cda2d9b98cad430a87df7a90a45
   ├── ✔ Packages                        [5,329 packages]
   ├── ✔ Executables                     [8,661 executables]
   ├── ✔ File metadata                   [5,329 locations]
   └── ✔ File digests                    [5,329 files]
 ✔ Scanned for vulnerabilities     [19 vulnerability matches]
   ├── by severity: 10 critical, 8 high, 0 medium, 1 low, 0 negligible
   └── by status:   19 fixed, 0 not-fixed, 0 ignored
NAME     INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS           RISK
SQLite   3.43.2     3.49.1    binary  CVE-2025-3277        Critical  < 0.1% (25th)  < 0.1
7-Zip    24.09      25.00     binary  CVE-2025-53816       High      < 0.1% (20th)  < 0.1
7-Zip    24.09      25.00     binary  CVE-2025-53817       High      < 0.1% (17th)  < 0.1
SQLite   3.43.2     3.49.1    binary  CVE-2025-29087       High      < 0.1% (9th)   < 0.1
SQLite   3.43.2     3.50.2    binary  CVE-2025-6965        Critical  < 0.1% (5th)   < 0.1
7-Zip    24.09      25.01     binary  CVE-2025-55188       Low       < 0.1% (8th)   < 0.1
MimeKit  4.3.0.0    4.7.1     dotnet  GHSA-gmc6-fwg3-75m5  High      N/A            N/A

[akarshm]

Thanks for the confirmation, @pjanotti. I looked at the anchore/Grype
documentation and did not find support for Windows Containers. Historically, we have also seen that different vulnerability management solutions vary in their reporting, but I can assure you that as long as you keep your container images up to date as they are published each month, you should be secure.

[pjanotti]

Given the update and information above, I'm going to close this issue as completed.