1 ====
2 CVEs
3 ====
4
5 Common Vulnerabilities and Exposure (CVE®) nu
6 unambiguous way to identify, define, and catal
7 security vulnerabilities. Over time, their us
8 regards to the kernel project, and CVE numbers
9 in inappropriate ways and for inappropriate re
10 the kernel development community has tended to
11 combination of continuing pressure to assign C
12 security identifiers, and ongoing abuses by in
13 outside of the kernel community has made it cl
14 community should have control over those assig
15
16 The Linux kernel developer team does have the
17 potential Linux kernel security issues. This
18 of the :doc:`normal Linux kernel security bug
19 process<../process/security-bugs>`.
20
21 A list of all assigned CVEs for the Linux kern
22 archives of the linux-cve mailing list, as see
23 https://lore.kernel.org/linux-cve-announce/.
24 assigned CVEs, please `subscribe
25 <https://subspace.kernel.org/subscribing.html>
26
27 Process
28 =======
29
30 As part of the normal stable release process,
31 potentially security issues are identified by
32 for CVE number assignments and have CVE number
33 to them. These assignments are published on t
34 mailing list as announcements on a frequent ba
35
36 Note, due to the layer at which the Linux kern
37 any bug might be exploitable to compromise the
38 but the possibility of exploitation is often n
39 fixed. Because of this, the CVE assignment te
40 assign CVE numbers to any bugfix that they ide
41 explains the seemingly large number of CVEs th
42 kernel team.
43
44 If the CVE assignment team misses a specific f
45 should have a CVE assigned to it, please email<
46 and the team there will work with you on it.
47 security issues should be sent to this alias,
48 of CVEs for fixes that are already in released
49 feel you have found an unfixed security issue,
50 :doc:`normal Linux kernel security bug reporti
51 process<../process/security-bugs>`.
52
53 No CVEs will be automatically assigned for unf
54 the Linux kernel; assignment will only automat
55 is available and applied to a stable kernel tr
56 that way by the git commit id of the original
57 have a CVE assigned before an issue is resolve
58 contact the kernel CVE assignment team at <cve@
59 identifier assigned from their batch of reserv
60
61 No CVEs will be assigned for any issue found i
62 that is not currently being actively supported
63 team. A list of the currently supported kerne
64 https://kernel.org/releases.html
65
66 Disputes of assigned CVEs
67 =========================
68
69 The authority to dispute or modify an assigned
70 change lies solely with the maintainers of the
71 affected. This principle ensures a high degre
72 accountability in vulnerability reporting. On
73 deep expertise and intimate knowledge of the s
74 assess the validity and scope of a reported vu
75 its appropriate CVE designation. Any attempt
76 outside of this designated authority could lea
77 reporting, and ultimately, compromised systems
78
79 Invalid CVEs
80 ============
81
82 If a security issue is found in a Linux kernel
83 a Linux distribution due to the changes that h
84 distribution, or due to the distribution suppo
85 that is no longer one of the kernel.org suppor
86 can not be assigned by the Linux kernel CVE te
87 from that Linux distribution itself.
88
89 Any CVE that is assigned against the Linux ker
90 supported kernel version, by any group other t
91 CVE team should not be treated as a valid CVE.
92 kernel CVE assignment team at <cve@kernel.org>
93 invalidate such entries through the CNA remedi
94
95 Applicability of specific CVEs
96 ==============================
97
98 As the Linux kernel can be used in many differ
99 different ways of accessing it by external use
100 the applicability of any specific CVE is up to
101 determine, it is not up to the CVE assignment
102 contact us to attempt to determine the applica
103 CVE.
104
105 Also, as the source tree is so large, and any
106 small subset of the source tree, any users of
107 large numbers of assigned CVEs are not relevan
108
109 In short, we do not know your use case, and we
110 of the kernel that you use, so there is no way
111 specific CVE is relevant for your system.
112
113 As always, it is best to take all released ker
114 tested together in a unified whole by many com
115 individual cherry-picked changes. Also note t
116 solution to the overall problem is not found i
117 the sum of many fixes on top of each other. I
118 assigned to all fixes for all issues, but some
119 notice fixes, therefore assume that some chang
120 might be relevant to take.
121
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.