When trying to find a specific CVE, which has been fixed upstream (e.g., Ubuntu), from the Release Notes page of the Ubuntu Jammy stemcell, it could be missing from the page.

VMware Tanzu Platform for Cloud Foundry

VMware Tanzu Kubernetes Grid Integrated Edition

It is likely due to the CVE being fixed only recently and the latest stemcell release has not consumed the fix yet.  The fix was probably published after the latest stemcell release came out.

The following steps can be ran to know whether the latest version of the stemcell includes a fix for a CVE.

To confirm the current version of a package that is shipped with the latest stemcell version, follow these steps:

1. Find the latest version of the Ubuntu Jammy stemcell from the Stemcells page.
2. Download the latest version of the stemcell.
3. Uncompress the stemcell tar ball.
   

   $ tar xvfz bosh-stemcell-1.808-azure-hyperv-ubuntu-jammy-go_agent.tgz

4. The uncompressed files include the specific file named 'packages.txt'.  Get the version of the specific package by searching its name from the 'packages.txt' file.  As an example, here is a search (using the 'grep' command) for the version of the libxml2 package:
   

   $ grep libxml2 packages.txt
   ii  libxml2:amd64                          2.9.13+dfsg-1ubuntu0.6                  amd64        GNOME XML library
   ii  libxml2-dev:amd64                      2.9.13+dfsg-1ubuntu0.6                  amd64        GNOME XML library - development files

From the example search, the version of the libxml2 package is "2.9.13+dfsg-1ubuntu0.6".  This can then be compared to the fixed version that is stated in the Security Advisory for a particular CVE (e.g., CVE-2025-32414).  By comparing these versions, it can be confirmed whether or not the CVE is already fixed in the latest version of the stemcell.

If the latest stemcell version doesn't have the fix yet, and the fix is already available upstream, then the fix should be automatically included in the upcoming release of the stemcell.