Linux CVEs, more than you ever wanted to know
2 days ago
- #Linux
- #CVE
- #Security
- Linux became a CNA (Certificate Numbering Authority) almost 2 years ago, making the kernel.org community responsible for issuing CVEs for the Linux kernel.
- Since becoming a CNA, Linux has become one of the largest creators of CVEs by quantity, ranking number 3 in 2024 and number 1 in 2025.
- The author has given multiple talks on this topic, including at Open Source security podcast, Kernel Recipes 2024, OSS Hong Kong 2024, and OSS Japan 2024.
- In 2025, the author focused on the CRA (Common Risk Assessment) work, but CVE assignment continued to evolve to address first-year issues.
- The process of CVE assignment is not directly visible in the Linux kernel source, except for updates on the linux-cve-announce mailing list.
- An in-kernel document outlines how CVEs can be requested and how they are automatically assigned.
- The author plans to provide detailed posts on the evolution of CVE assignment tools, Linux kernel versioning, and ways to track CVE assignments.
- The series aims to offer insights for other open-source projects facing similar challenges in handling reports at scale.