€•õMŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ/translations/zh_CN/process/cve”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/zh_TW/process/cve”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/it_IT/process/cve”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/ja_JP/process/cve”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/ko_KR/process/cve”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ/translations/sp_SP/process/cve”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒCVEs”h]”hŒCVEs”…””}”(hh¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hh£hžhhŸŒ9/var/lib/git/docbuild/linux/Documentation/process/cve.rst”h KubhŒ paragraph”“”)”}”(hX°Common Vulnerabilities and Exposure (CVE®) numbers were developed as an unambiguous way to identify, define, and catalog publicly disclosed security vulnerabilities. Over time, their usefulness has declined with regards to the kernel project, and CVE numbers were very often assigned in inappropriate ways and for inappropriate reasons. Because of this, the kernel development community has tended to avoid them. However, the combination of continuing pressure to assign CVEs and other forms of security identifiers, and ongoing abuses by individuals and companies outside of the kernel community has made it clear that the kernel community should have control over those assignments.”h]”hX°Common Vulnerabilities and Exposure (CVE®) numbers were developed as an unambiguous way to identify, define, and catalog publicly disclosed security vulnerabilities. Over time, their usefulness has declined with regards to the kernel project, and CVE numbers were very often assigned in inappropriate ways and for inappropriate reasons. Because of this, the kernel development community has tended to avoid them. However, the combination of continuing pressure to assign CVEs and other forms of security identifiers, and ongoing abuses by individuals and companies outside of the kernel community has made it clear that the kernel community should have control over those assignments.”…””}”(hh¹hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubh¸)”}”(hŒìThe Linux kernel developer team does have the ability to assign CVEs for potential Linux kernel security issues. This assignment is independent of the :doc:`normal Linux kernel security bug reporting process<../process/security-bugs>`.”h]”(hŒ˜The Linux kernel developer team does have the ability to assign CVEs for potential Linux kernel security issues. This assignment is independent of the ”…””}”(hhÇhžhhŸNh Nubh)”}”(hŒS:doc:`normal Linux kernel security bug reporting process<../process/security-bugs>`”h]”hŒinline”“”)”}”(hhÑh]”hŒ2normal Linux kernel security bug reporting process”…””}”(hhÕhžhhŸNh Nubah}”(h]”h ]”(Œxref”Œstd”Œstd-doc”eh"]”h$]”h&]”uh1hÓhhÏubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œ process/cve”Œ refdomain”hàŒreftype”Œdoc”Œ refexplicit”ˆŒrefwarn”ˆŒ reftarget”Œ../process/security-bugs”uh1hhŸh¶h KhhÇubhŒ.”…””}”(hhÇhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubh¸)”}”(hX"A list of all assigned CVEs for the Linux kernel can be found in the archives of the linux-cve mailing list, as seen on https://lore.kernel.org/linux-cve-announce/. To get notice of the assigned CVEs, please `subscribe `_ to that mailing list.”h]”(hŒxA list of all assigned CVEs for the Linux kernel can be found in the archives of the linux-cve mailing list, as seen on ”…””}”(hhþhžhhŸNh NubhŒ reference”“”)”}”(hŒ+https://lore.kernel.org/linux-cve-announce/”h]”hŒ+https://lore.kernel.org/linux-cve-announce/”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”j uh1jhhþubhŒ.. To get notice of the assigned CVEs, please ”…””}”(hhþhžhhŸNh Nubj)”}”(hŒ;`subscribe `_”h]”hŒ subscribe”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ subscribe”Œrefuri”Œ,https://subspace.kernel.org/subscribing.html”uh1jhhþubhŒtarget”“”)”}”(hŒ/ ”h]”h}”(h]”Œ subscribe”ah ]”h"]”Œ subscribe”ah$]”h&]”Œrefuri”j,uh1j-Œ referenced”KhhþubhŒ to that mailing list.”…””}”(hhþhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubh¢)”}”(hhh]”(h§)”}”(hŒProcess”h]”hŒProcess”…””}”(hjJhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hjGhžhhŸh¶h Kubh¸)”}”(hXLAs part of the normal stable release process, kernel changes that are potentially security issues are identified by the developers responsible for CVE number assignments and have CVE numbers automatically assigned to them. These assignments are published on the linux-cve-announce mailing list as announcements on a frequent basis.”h]”hXLAs part of the normal stable release process, kernel changes that are potentially security issues are identified by the developers responsible for CVE number assignments and have CVE numbers automatically assigned to them. These assignments are published on the linux-cve-announce mailing list as announcements on a frequent basis.”…””}”(hjXhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KhjGhžhubh¸)”}”(hX°Note, due to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team is overly cautious and assign CVE numbers to any bugfix that they identify. This explains the seemingly large number of CVEs that are issued by the Linux kernel team.”h]”hX°Note, due to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team is overly cautious and assign CVE numbers to any bugfix that they identify. This explains the seemingly large number of CVEs that are issued by the Linux kernel team.”…””}”(hjfhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K$hjGhžhubh¸)”}”(hXôIf the CVE assignment team misses a specific fix that any user feels should have a CVE assigned to it, please email them at and the team there will work with you on it. Note that no potential security issues should be sent to this alias, it is ONLY for assignment of CVEs for fixes that are already in released kernel trees. If you feel you have found an unfixed security issue, please follow the :doc:`normal Linux kernel security bug reporting process<../process/security-bugs>`.”h]”(hŒ}If the CVE assignment team misses a specific fix that any user feels should have a CVE assigned to it, please email them at <”…””}”(hjthžhhŸNh Nubj)”}”(hŒcve@kernel.org”h]”hŒcve@kernel.org”…””}”(hj|hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:cve@kernel.org”uh1jhjtubhX> and the team there will work with you on it. Note that no potential security issues should be sent to this alias, it is ONLY for assignment of CVEs for fixes that are already in released kernel trees. If you feel you have found an unfixed security issue, please follow the ”…””}”(hjthžhhŸNh Nubh)”}”(hŒS:doc:`normal Linux kernel security bug reporting process<../process/security-bugs>`”h]”hÔ)”}”(hj’h]”hŒ2normal Linux kernel security bug reporting process”…””}”(hj”hžhhŸNh Nubah}”(h]”h ]”(hߌstd”Œstd-doc”eh"]”h$]”h&]”uh1hÓhjubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”hìŒ refdomain”jžŒreftype”Œdoc”Œ refexplicit”ˆŒrefwarn”ˆhòŒ../process/security-bugs”uh1hhŸh¶h K,hjtubhŒ.”…””}”(hjthžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K,hjGhžhubh¸)”}”(hXçNo CVEs will be automatically assigned for unfixed security issues in the Linux kernel; assignment will only automatically happen after a fix is available and applied to a stable kernel tree, and it will be tracked that way by the git commit id of the original fix. If anyone wishes to have a CVE assigned before an issue is resolved with a commit, please contact the kernel CVE assignment team at to get an identifier assigned from their batch of reserved identifiers.”h]”(hXNo CVEs will be automatically assigned for unfixed security issues in the Linux kernel; assignment will only automatically happen after a fix is available and applied to a stable kernel tree, and it will be tracked that way by the git commit id of the original fix. If anyone wishes to have a CVE assigned before an issue is resolved with a commit, please contact the kernel CVE assignment team at <”…””}”(hjºhžhhŸNh Nubj)”}”(hŒcve@kernel.org”h]”hŒcve@kernel.org”…””}”(hjÂhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:cve@kernel.org”uh1jhjºubhŒI> to get an identifier assigned from their batch of reserved identifiers.”…””}”(hjºhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K5hjGhžhubh¸)”}”(hŒùNo CVEs will be assigned for any issue found in a version of the kernel that is not currently being actively supported by the Stable/LTS kernel team. A list of the currently supported kernel branches can be found at https://kernel.org/releases.html”h]”(hŒÙNo CVEs will be assigned for any issue found in a version of the kernel that is not currently being actively supported by the Stable/LTS kernel team. A list of the currently supported kernel branches can be found at ”…””}”(hjÜhžhhŸNh Nubj)”}”(hŒ https://kernel.org/releases.html”h]”hŒ https://kernel.org/releases.html”…””}”(hjähžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jæuh1jhjÜubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K=hjGhžhubeh}”(h]”Œprocess”ah ]”h"]”Œprocess”ah$]”h&]”uh1h¡hh£hžhhŸh¶h Kubh¢)”}”(hhh]”(h§)”}”(hŒDisputes of assigned CVEs”h]”hŒDisputes of assigned CVEs”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hjhžhhŸh¶h KCubh¸)”}”(hXcThe authority to dispute or modify an assigned CVE for a specific kernel change lies solely with the maintainers of the relevant subsystem affected. This principle ensures a high degree of accuracy and accountability in vulnerability reporting. Only those individuals with deep expertise and intimate knowledge of the subsystem can effectively assess the validity and scope of a reported vulnerability and determine its appropriate CVE designation. Any attempt to modify or dispute a CVE outside of this designated authority could lead to confusion, inaccurate reporting, and ultimately, compromised systems.”h]”hXcThe authority to dispute or modify an assigned CVE for a specific kernel change lies solely with the maintainers of the relevant subsystem affected. This principle ensures a high degree of accuracy and accountability in vulnerability reporting. Only those individuals with deep expertise and intimate knowledge of the subsystem can effectively assess the validity and scope of a reported vulnerability and determine its appropriate CVE designation. Any attempt to modify or dispute a CVE outside of this designated authority could lead to confusion, inaccurate reporting, and ultimately, compromised systems.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KEhjhžhubeh}”(h]”Œdisputes-of-assigned-cves”ah ]”h"]”Œdisputes of assigned cves”ah$]”h&]”uh1h¡hh£hžhhŸh¶h KCubh¢)”}”(hhh]”(h§)”}”(hŒ Invalid CVEs”h]”hŒ Invalid CVEs”…””}”(hj+hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hj(hžhhŸh¶h KPubh¸)”}”(hX…If a security issue is found in a Linux kernel that is only supported by a Linux distribution due to the changes that have been made by that distribution, or due to the distribution supporting a kernel version that is no longer one of the kernel.org supported releases, then a CVE can not be assigned by the Linux kernel CVE team, and must be asked for from that Linux distribution itself.”h]”hX…If a security issue is found in a Linux kernel that is only supported by a Linux distribution due to the changes that have been made by that distribution, or due to the distribution supporting a kernel version that is no longer one of the kernel.org supported releases, then a CVE can not be assigned by the Linux kernel CVE team, and must be asked for from that Linux distribution itself.”…””}”(hj9hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KRhj(hžhubh¸)”}”(hXPAny CVE that is assigned against the Linux kernel for an actively supported kernel version, by any group other than the kernel assignment CVE team should not be treated as a valid CVE. Please notify the kernel CVE assignment team at so that they can work to invalidate such entries through the CNA remediation process.”h]”(hŒëAny CVE that is assigned against the Linux kernel for an actively supported kernel version, by any group other than the kernel assignment CVE team should not be treated as a valid CVE. Please notify the kernel CVE assignment team at <”…””}”(hjGhžhhŸNh Nubj)”}”(hŒcve@kernel.org”h]”hŒcve@kernel.org”…””}”(hjOhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:cve@kernel.org”uh1jhjGubhŒW> so that they can work to invalidate such entries through the CNA remediation process.”…””}”(hjGhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KYhj(hžhubeh}”(h]”Œ invalid-cves”ah ]”h"]”Œ invalid cves”ah$]”h&]”uh1h¡hh£hžhhŸh¶h KPubh¢)”}”(hhh]”(h§)”}”(hŒApplicability of specific CVEs”h]”hŒApplicability of specific CVEs”…””}”(hjthžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hjqhžhhŸh¶h K`ubh¸)”}”(hXYAs the Linux kernel can be used in many different ways, with many different ways of accessing it by external users, or no access at all, the applicability of any specific CVE is up to the user of Linux to determine, it is not up to the CVE assignment team. Please do not contact us to attempt to determine the applicability of any specific CVE.”h]”hXYAs the Linux kernel can be used in many different ways, with many different ways of accessing it by external users, or no access at all, the applicability of any specific CVE is up to the user of Linux to determine, it is not up to the CVE assignment team. Please do not contact us to attempt to determine the applicability of any specific CVE.”…””}”(hj‚hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kbhjqhžhubh¸)”}”(hŒÐAlso, as the source tree is so large, and any one system only uses a small subset of the source tree, any users of Linux should be aware that large numbers of assigned CVEs are not relevant for their systems.”h]”hŒÐAlso, as the source tree is so large, and any one system only uses a small subset of the source tree, any users of Linux should be aware that large numbers of assigned CVEs are not relevant for their systems.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kihjqhžhubh¸)”}”(hŒºIn short, we do not know your use case, and we do not know what portions of the kernel that you use, so there is no way for us to determine if a specific CVE is relevant for your system.”h]”hŒºIn short, we do not know your use case, and we do not know what portions of the kernel that you use, so there is no way for us to determine if a specific CVE is relevant for your system.”…””}”(hjžhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kmhjqhžhubh¸)”}”(hXAs always, it is best to take all released kernel changes, as they are tested together in a unified whole by many community members, and not as individual cherry-picked changes. Also note that for many bugs, the solution to the overall problem is not found in a single change, but by the sum of many fixes on top of each other. Ideally CVEs will be assigned to all fixes for all issues, but sometimes we will fail to notice fixes, therefore assume that some changes without a CVE assigned might be relevant to take.”h]”hXAs always, it is best to take all released kernel changes, as they are tested together in a unified whole by many community members, and not as individual cherry-picked changes. Also note that for many bugs, the solution to the overall problem is not found in a single change, but by the sum of many fixes on top of each other. Ideally CVEs will be assigned to all fixes for all issues, but sometimes we will fail to notice fixes, therefore assume that some changes without a CVE assigned might be relevant to take.”…””}”(hj¬hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kqhjqhžhubeh}”(h]”Œapplicability-of-specific-cves”ah ]”h"]”Œapplicability of specific cves”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K`ubeh}”(h]”Œcves”ah ]”h"]”Œcves”ah$]”h&]”uh1h¡hhhžhhŸh¶h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h¶uh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¦NŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jíŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h¶Œ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jÇjÄj8j5jþjûj%j"jnjkj¿j¼uŒ nametypes”}”(jljj8ˆjþ‰j%‰jn‰j¿‰uh}”(jÄh£j5j/jûjGj"jjkj(j¼jquŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nhžhub.