Documentation/process/cve.rst

8 regards to the kernel project, and CVE numbers were very often assigned
9 in inappropriate ways and for inappropriate reasons.  Because of this,
10 the kernel development community has tended to avoid them.  However, the
13 outside of the kernel community has made it clear that the kernel
16 The Linux kernel developer team does have the ability to assign CVEs for
17 potential Linux kernel security issues.  This assignment is independent
18 of the :doc:`normal Linux kernel security bug reporting
19 process<../process/security-bugs>`.
21 A list of all assigned CVEs for the Linux kernel can be found in the
22 archives of the linux-cve mailing list, as seen on
23 https://lore.kernel.org/linux-cve-announce/.  To get notice of the
25 <https://subspace.kernel.org/subscribing.html>`_ to that mailing list.
30 As part of the normal stable release process, kernel changes that are
33 to them.  These assignments are published on the linux-cve-announce
36 Note, due to the layer at which the Linux kernel is in a system, almost
37 any bug might be exploitable to compromise the security of the kernel,
42 kernel team.
45 should have a CVE assigned to it, please email them at <cve@kernel.org>
48 of CVEs for fixes that are already in released kernel trees.  If you
50 :doc:`normal Linux kernel security bug reporting
51 process<../process/security-bugs>`.
53 No CVEs will be automatically assigned for unfixed security issues in
54 the Linux kernel; assignment will only automatically happen after a fix
55 is available and applied to a stable kernel tree, and it will be tracked
58 contact the kernel CVE assignment team at <cve@kernel.org> to get an
61 No CVEs will be assigned for any issue found in a version of the kernel
62 that is not currently being actively supported by the Stable/LTS kernel
63 team.  A list of the currently supported kernel branches can be found at
64 https://kernel.org/releases.html
69 The authority to dispute or modify an assigned CVE for a specific kernel
72 accountability in vulnerability reporting.  Only those individuals with
82 If a security issue is found in a Linux kernel that is only supported by
84 distribution, or due to the distribution supporting a kernel version
85 that is no longer one of the kernel.org supported releases, then a CVE
86 can not be assigned by the Linux kernel CVE team, and must be asked for
89 Any CVE that is assigned against the Linux kernel for an actively
90 supported kernel version, by any group other than the kernel assignment
92 kernel CVE assignment team at <cve@kernel.org> so that they can work to
98 As the Linux kernel can be used in many different ways, with many
109 In short, we do not know your use case, and we do not know what portions
110 of the kernel that you use, so there is no way for us to determine if a
113 As always, it is best to take all released kernel changes, as they are
114 tested together in a unified whole by many community members, and not as
115 individual cherry-picked changes.  Also note that for many bugs, the
116 solution to the overall problem is not found in a single change, but by