xref: /linux/Documentation/process/cve.rst (revision d2a4a07190f42e4f82805daf58e708400b703f1c)
1====
2CVEs
3====
4
5Common Vulnerabilities and Exposure (CVE®) numbers were developed as an
6unambiguous way to identify, define, and catalog publicly disclosed
7security vulnerabilities.  Over time, their usefulness has declined with
8regards to the kernel project, and CVE numbers were very often assigned
9in inappropriate ways and for inappropriate reasons.  Because of this,
10the kernel development community has tended to avoid them.  However, the
11combination of continuing pressure to assign CVEs and other forms of
12security identifiers, and ongoing abuses by individuals and companies
13outside of the kernel community has made it clear that the kernel
14community should have control over those assignments.
15
16The Linux kernel developer team does have the ability to assign CVEs for
17potential Linux kernel security issues.  This assignment is independent
18of the :doc:`normal Linux kernel security bug reporting
19process<../process/security-bugs>`.
20
21A list of all assigned CVEs for the Linux kernel can be found in the
22archives of the linux-cve mailing list, as seen on
23https://lore.kernel.org/linux-cve-announce/.  To get notice of the
24assigned CVEs, please `subscribe
25<https://subspace.kernel.org/subscribing.html>`_ to that mailing list.
26
27Process
28=======
29
30As part of the normal stable release process, kernel changes that are
31potentially security issues are identified by the developers responsible
32for CVE number assignments and have CVE numbers automatically assigned
33to them.  These assignments are published on the linux-cve-announce
34mailing list as announcements on a frequent basis.
35
36Note, due to the layer at which the Linux kernel is in a system, almost
37any bug might be exploitable to compromise the security of the kernel,
38but the possibility of exploitation is often not evident when the bug is
39fixed.  Because of this, the CVE assignment team is overly cautious and
40assign CVE numbers to any bugfix that they identify.  This
41explains the seemingly large number of CVEs that are issued by the Linux
42kernel team.
43
44If the CVE assignment team misses a specific fix that any user feels
45should have a CVE assigned to it, please email them at <cve@kernel.org>
46and the team there will work with you on it.  Note that no potential
47security issues should be sent to this alias, it is ONLY for assignment
48of CVEs for fixes that are already in released kernel trees.  If you
49feel you have found an unfixed security issue, please follow the
50:doc:`normal Linux kernel security bug reporting
51process<../process/security-bugs>`.
52
53No CVEs will be automatically assigned for unfixed security issues in
54the Linux kernel; assignment will only automatically happen after a fix
55is available and applied to a stable kernel tree, and it will be tracked
56that way by the git commit id of the original fix.  If anyone wishes to
57have a CVE assigned before an issue is resolved with a commit, please
58contact the kernel CVE assignment team at <cve@kernel.org> to get an
59identifier assigned from their batch of reserved identifiers.
60
61No CVEs will be assigned for any issue found in a version of the kernel
62that is not currently being actively supported by the Stable/LTS kernel
63team.  A list of the currently supported kernel branches can be found at
64https://kernel.org/releases.html
65
66Disputes of assigned CVEs
67=========================
68
69The authority to dispute or modify an assigned CVE for a specific kernel
70change lies solely with the maintainers of the relevant subsystem
71affected.  This principle ensures a high degree of accuracy and
72accountability in vulnerability reporting.  Only those individuals with
73deep expertise and intimate knowledge of the subsystem can effectively
74assess the validity and scope of a reported vulnerability and determine
75its appropriate CVE designation.  Any attempt to modify or dispute a CVE
76outside of this designated authority could lead to confusion, inaccurate
77reporting, and ultimately, compromised systems.
78
79Invalid CVEs
80============
81
82If a security issue is found in a Linux kernel that is only supported by
83a Linux distribution due to the changes that have been made by that
84distribution, or due to the distribution supporting a kernel version
85that is no longer one of the kernel.org supported releases, then a CVE
86can not be assigned by the Linux kernel CVE team, and must be asked for
87from that Linux distribution itself.
88
89Any CVE that is assigned against the Linux kernel for an actively
90supported kernel version, by any group other than the kernel assignment
91CVE team should not be treated as a valid CVE.  Please notify the
92kernel CVE assignment team at <cve@kernel.org> so that they can work to
93invalidate such entries through the CNA remediation process.
94
95Applicability of specific CVEs
96==============================
97
98As the Linux kernel can be used in many different ways, with many
99different ways of accessing it by external users, or no access at all,
100the applicability of any specific CVE is up to the user of Linux to
101determine, it is not up to the CVE assignment team.  Please do not
102contact us to attempt to determine the applicability of any specific
103CVE.
104
105Also, as the source tree is so large, and any one system only uses a
106small subset of the source tree, any users of Linux should be aware that
107large numbers of assigned CVEs are not relevant for their systems.
108
109In short, we do not know your use case, and we do not know what portions
110of the kernel that you use, so there is no way for us to determine if a
111specific CVE is relevant for your system.
112
113As always, it is best to take all released kernel changes, as they are
114tested together in a unified whole by many community members, and not as
115individual cherry-picked changes.  Also note that for many bugs, the
116solution to the overall problem is not found in a single change, but by
117the sum of many fixes on top of each other.  Ideally CVEs will be
118assigned to all fixes for all issues, but sometimes we will fail to
119notice fixes, therefore assume that some changes without a CVE assigned
120might be relevant to take.
121
122