Linux CVEs, more than you ever wanted to know

(kroah.com)

53 points by voxadam9 hours ago

5 comments

1vuio0pswjnm74 hours ago
<a href="https://web.archive.org/web/20251210012827if_/http://www.kroah.com/log/blog/2025/12/08/linux-cves-more-than-you-ever-wanted-to-know/" rel="nofollow">https://web.archive.org/web/20251210012827if_/http://www.kro...</a>
paulryanrogers8 hours ago
Looking forward to posts links in the series. This seems like a bit of a tease.
- dredmorbius8 hours ago
  2nd 'graph of TFA links five talks on the topic all within the past two years.
  - paulryanrogers5 hours ago
    Perhaps I misunderstand, but aren't those far above the "So here’s a series of posts" and its bullet list?
loph8 hours ago
[flagged]
- tomhow8 hours ago
 Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.<a href="https://news.ycombinator.com/newsguidelines.html">https://news.ycombinator.com/newsguidelines.html</a>
- landr0id8 hours ago
 I'm surprised Firefox didn't warn me when I went to the page. Hostile teleco/MITM waiting for HTTP traffic are a real-world way that nation states deliver exploits.
 - vpShane7 hours ago
 It did for Librewolf -- what I moved to from Firefox. Self-Signed certs I'm down with, http I'm not, and never will be for any reason. Plain-text data transmissions have no acceptable reasoning.
 - schmuckonwheels7 hours ago
 You do realize self-signed certs are useless, could have been tampered with, and could have just as easily been created by a malicious actor?There's a reason most default self signed certs are called "snake oil".
 - gldrk6 hours ago
 You can pre-share the certificate out of band, or set up your browser to TOFU like SSH does. Then they are not useless and may be superior to PKI for certain threat models.
 - gldrk6 hours ago
 PKI is basically powerless against nation states executing a targeted MITM attack. It does prevent them from passively snooping everything.
 - vhcr6 hours ago
 You can enable it in the settings.
- actionfromafar8 hours ago
 Posted on December 8, 2025 | Greg K-HIt’s been almost 2 full years since Linux became a CNA⁰ (Certificate Numbering Authority) which meant that we (i.e. the kernel.org community) are now responsible for issuing all CVEs for the Linux kernel. During this time, we’ve become one of the largest creators of CVEs by quantity, going from nothing to number 3 in 2024 to number 1 in 2025. Naturally, this has caused some questions about how we are both doing all of this work, and how people can keep track of it.I’ve given a number of talks over the past years about this, starting with the Open Source security podcast right after we became¹ a CNA and then the Kernel Recipes 2024 talk, “CVEs are alive, but do not panic”² and then a talk³ at OSS Hong Kong 2024 about the same topic with updated numbers and later a talk at OSS Japan⁴ 2024 with more info about the same topic and finally for 2024 a talk with more detail⁵ that I can’t find the online version.In 2025 I did lots of work on the CRA⁶ so most of my speaking⁷ over this year has been about that topic , but the CVE assignment work continued on, evolving to meet many of the issues we had in our first year of being a CNA. As that work is not part of the Linux kernel source directly, it’s not all that visable to the normal development process, except for the constant feed on the linux-cve-announce mailing list⁸ I figured it was time to write down how this is all now working, as well a bunch of background information about how Linux is developed that is relevant for how we do CVE reporting (i.e. almost all non-open-source-groups don’t seem to know how to grasp our versioning scheme.)There is a in-kernel document⁹ that describes how CVEs can be asked for from the kernel community, as well as a basic summary of how CVEs are automatically asigned. But as we are an open community, it’s good to go into more detail as to how all of us do this work, explaining how our tools have evolved over time and how they work, why some things are the way they are for our releases, as well as document a way that people can track CVE assignments on their own in a format that is, in my opinion, much simpler than attempting to rely on the CVE json format (and don’t get me started on NVD…)So here’s a series of posts going into all of this, hopefully providing more information than you ever wanted to know, which might be useful for other open source projects as they start to run into many of the same issues we have already dealt with (i.e. how to handle reports at scale):<pre><code> Linux kernel versions, how the Linux kernel releases are¹⁰ numbered.</code></pre> (contents served over SSL, by virtue of YC)0: <a href="http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/" rel="nofollow">http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/</a>1: <a href="https://opensourcesecurity.io/2024/02/25/episode-417-linux-kernel-security-with-greg-k-h/" rel="nofollow">https://opensourcesecurity.io/2024/02/25/episode-417-linux-k...</a>2: <a href="https://kernel-recipes.org/en/2024/cves-are-alive-but-no-not-panic/" rel="nofollow">https://kernel-recipes.org/en/2024/cves-are-alive-but-no-not...</a>3: <a href="https://www.youtube.com/watch?v=at-uDXbX-18" rel="nofollow">https://www.youtube.com/watch?v=at-uDXbX-18</a>4: <a href="https://www.youtube.com/watch?v=KumwRn1BA6s" rel="nofollow">https://www.youtube.com/watch?v=KumwRn1BA6s</a>5: <a href="https://ossmw2024.sched.com/event/1sLVt/welcome-keynote-50-cves-a-week-how-the-linux-kernel-project-went-from-ignoring-cves-to-embracing-them-greg-kroah-hartman-fellow-the-linux-foundation" rel="nofollow">https://ossmw2024.sched.com/event/1sLVt/welcome-keynote-50-c...</a>6: <a href="https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act" rel="nofollow">https://digital-strategy.ec.europa.eu/en/policies/cyber-resi...</a>7: <a href="https://kernel-recipes.org/en/2025/schedule/the-cra-and-what-it-means-for-us/" rel="nofollow">https://kernel-recipes.org/en/2025/schedule/the-cra-and-what...</a>8: <a href="https://lore.kernel.org/linux-cve-announce/" rel="nofollow">https://lore.kernel.org/linux-cve-announce/</a>9: <a href="https://www.kernel.org/doc/html/latest/process/cve.html" rel="nofollow">https://www.kernel.org/doc/html/latest/process/cve.html</a>10: <a href="http://www.kroah.com/log/blog/2025/12/09/linux-kernel-version-numbers/" rel="nofollow">http://www.kroah.com/log/blog/2025/12/09/linux-kernel-versio...</a>
1970-01-018 hours ago
[flagged]
- kvemkon8 hours ago
 But how do you know, that if kroah.com would use Let's Encrypt it would belong to Greg K-H? What if his true WEB-site would be e.g. greg-k-h.com?
 - a99c43f2d5655048 hours ago
 Right. Also, when it comes to the other aspects of TLS, such as preventing middlemen from making sense of what information flows between you and the server, what exactly is the threat in this case? I mean, it's a public blog post, which you only ask to read and so you are served.
 - vpShane7 hours ago
 It's not about threat, it's about privacy. I understand your statements but 'what is the threat in this case' to answer that: I don't want to know, I've moved on from those worries. Always encrypt.
 - vhcr6 hours ago
 What privacy? Whoever is watching your traffic can see you accessed their website with HTTPS, they can guess with high accuracy which article you are reading based on the response size.
- schmuckonwheels8 hours ago
 Objectively better than serving 12MB of JavaScript slop, trackers, and "analytics" over HTTPS so you can share a recipe for flan.Greg K-H has more credibility than 99% of posters here.He's literally the #2 guy in Linuxworld (behind Linus). What have you done?
 - 1970-01-017 hours ago
 You enumerated the security risks of clear text transmission over the Internet and everything came up green because the blogger works on Linux?
 - MobiusHorizons3 hours ago
 Please don't get me wrong. I'm glad the world has mostly transitioned over to HTTPS, but what are you actually concerned about with reading a blog post over HTTP? If you had to log in or post form data, or hosted binaries or something I would get it. But what is wrong with reading an article in the clear? And how would SSL prevent that?
 - schmuckonwheels7 hours ago
 If you are too afraid to click a cleartext HTTP link then don't; it's not for you. Just spare the rest of us the melodrama.While you are at it, better not ever update Debian or any number of other OSes because their updates are served over plain HTTP.
 - 1970-01-017 hours ago
 You almost had a great point here. If he began every blog rant with BEGIN PGP SIGNED MESSAGE and included a digital key somewhere secure, somewhere that I could go and verify, just Debian does with updates, I maybe could tolerate the cleartext. But he clearly didn't (pun alert!)
 - vpShane7 hours ago
 I enjoy this person's writings, and contributions. I am Linux's biggest fan and research cyber security daily.I would prefer https.
 - schmuckonwheels7 hours ago
 I prefer a nice cappuccino, but sometimes all that's available is plain black coffee from the shared pot in the canteen (which someone could have tampered with).But we drink it anyway (at risk) because it's free.
throw3290848 hours ago
This blog post, brought to you by the man who wants to burn down the CVE system <a href="https://lwn.net/Articles/1049140/" rel="nofollow">https://lwn.net/Articles/1049140/</a>
- accelbred3 hours ago
 I, this last week, had to spend hours dealing with a fake CVE that was opened 2 years ago on an open source dependency of our project for a bug that amounts to "if you have RCE, you can construct a malicious java datatype and call this function on it to trigger a stack overflow". The github thread on the lib is full of the maintainers having to deal with hundreds of people asking them for updates on an obviously fake CVE. Yet the CVE is still up and has not been deleted. And I now get a request from a customer about fixing this vuln in our code their CVE scanner found.The CVE system is broken and its death would be a good riddance.
- TheDong4 hours ago
 One of the many people who know the CVE system is elaborately broken in many ways.Please, tell me what issues you have with how the kernel does CVEs.
 - raesene91 hour ago
 Not op but if you are looking for information on why sone people arent keen on the kernels approach to CVE management <a href="https://jericho.blog/2024/02/26/the-linux-cna-red-flags-since-2022/" rel="nofollow">https://jericho.blog/2024/02/26/the-linux-cna-red-flags-sinc...</a> might be of interest
- DeepYogurt5 hours ago
 To be fair the CVE system can't even encode a version string
 - spockz24 minutes ago
 Not sure whether this is a limitation of the scanning tooling or of the CVE format itself, it also cannot express sub packages. So if some Jackson-very-specific-module has a CVE the whole of Jackson gets marked as impacted. Same with netty.