CVEs¶
Common Vulnerabilities and Exposure (CVE®) numbers were developed as anunambiguous way to identify, define, and catalog publicly disclosedsecurity vulnerabilities. Over time, their usefulness has declined withregards to the kernel project, and CVE numbers were very often assignedin inappropriate ways and for inappropriate reasons. Because of this,the kernel development community has tended to avoid them. However, thecombination of continuing pressure to assign CVEs and other forms ofsecurity identifiers, and ongoing abuses by individuals and companiesoutside of the kernel community has made it clear that the kernelcommunity should have control over those assignments.
The Linux kernel developer team does have the ability to assign CVEs forpotential Linux kernel security issues. This assignment is independentof thenormal Linux kernel security bug reportingprocess.
A list of all assigned CVEs for the Linux kernel can be found in thearchives of the linux-cve mailing list, as seen onhttps://lore.kernel.org/linux-cve-announce/. To get notice of theassigned CVEs, pleasesubscribe to that mailing list.
Process¶
As part of the normal stable release process, kernel changes that arepotentially security issues are identified by the developers responsiblefor CVE number assignments and have CVE numbers automatically assignedto them. These assignments are published on the linux-cve-announcemailing list as announcements on a frequent basis.
Note, due to the layer at which the Linux kernel is in a system, almostany bug might be exploitable to compromise the security of the kernel,but the possibility of exploitation is often not evident when the bug isfixed. Because of this, the CVE assignment team is overly cautious andassign CVE numbers to any bugfix that they identify. Thisexplains the seemingly large number of CVEs that are issued by the Linuxkernel team.
If the CVE assignment team misses a specific fix that any user feelsshould have a CVE assigned to it, please email them at <cve@kernel.org>and the team there will work with you on it. Note that no potentialsecurity issues should be sent to this alias, it is ONLY for assignmentof CVEs for fixes that are already in released kernel trees. If youfeel you have found an unfixed security issue, please follow thenormal Linux kernel security bug reportingprocess.
No CVEs will be automatically assigned for unfixed security issues inthe Linux kernel; assignment will only automatically happen after a fixis available and applied to a stable kernel tree, and it will be trackedthat way by the git commit id of the original fix. If anyone wishes tohave a CVE assigned before an issue is resolved with a commit, pleasecontact the kernel CVE assignment team at <cve@kernel.org> to get anidentifier assigned from their batch of reserved identifiers.
No CVEs will be assigned for any issue found in a version of the kernelthat is not currently being actively supported by the Stable/LTS kernelteam. A list of the currently supported kernel branches can be found athttps://kernel.org/releases.html
Disputes of assigned CVEs¶
The authority to dispute or modify an assigned CVE for a specific kernelchange lies solely with the maintainers of the relevant subsystemaffected. This principle ensures a high degree of accuracy andaccountability in vulnerability reporting. Only those individuals withdeep expertise and intimate knowledge of the subsystem can effectivelyassess the validity and scope of a reported vulnerability and determineits appropriate CVE designation. Any attempt to modify or dispute a CVEoutside of this designated authority could lead to confusion, inaccuratereporting, and ultimately, compromised systems.
Invalid CVEs¶
If a security issue is found in a Linux kernel that is only supported bya Linux distribution due to the changes that have been made by thatdistribution, or due to the distribution supporting a kernel versionthat is no longer one of the kernel.org supported releases, then a CVEcan not be assigned by the Linux kernel CVE team, and must be asked forfrom that Linux distribution itself.
Any CVE that is assigned against the Linux kernel for an activelysupported kernel version, by any group other than the kernel assignmentCVE team should not be treated as a valid CVE. Please notify thekernel CVE assignment team at <cve@kernel.org> so that they can work toinvalidate such entries through the CNA remediation process.
Applicability of specific CVEs¶
As the Linux kernel can be used in many different ways, with manydifferent ways of accessing it by external users, or no access at all,the applicability of any specific CVE is up to the user of Linux todetermine, it is not up to the CVE assignment team. Please do notcontact us to attempt to determine the applicability of any specificCVE.
Also, as the source tree is so large, and any one system only uses asmall subset of the source tree, any users of Linux should be aware thatlarge numbers of assigned CVEs are not relevant for their systems.
In short, we do not know your use case, and we do not know what portionsof the kernel that you use, so there is no way for us to determine if aspecific CVE is relevant for your system.
As always, it is best to take all released kernel changes, as they aretested together in a unified whole by many community members, and not asindividual cherry-picked changes. Also note that for many bugs, thesolution to the overall problem is not found in a single change, but bythe sum of many fixes on top of each other. Ideally CVEs will beassigned to all fixes for all issues, but sometimes we will fail tonotice fixes, therefore assume that some changes without a CVE assignedmight be relevant to take.