Re: [PATCH v3] Documentation: Document the Linux Kernel CVE process

From: Michal Hocko
Date: Thu Feb 15 2024 - 12:54:29 EST


On Wed 14-02-24 09:00:30, Greg KH wrote:
[...]
> +Process
> +-------
> +
> +As part of the normal stable release process, kernel changes that are
> +potentially security issues are identified by the developers responsible
> +for CVE number assignments and have CVE numbers automatically assigned
> +to them. These assignments are published on the linux-cve-announce
> +mailing list as announcements on a frequent basis.
> +
> +Note, due to the layer at which the Linux kernel is in a system, almost
> +any bug might be exploitable to compromise the security of the kernel,
> +but the possibility of exploitation is often not evident when the bug is
> +fixed. Because of this, the CVE assignment team is overly cautious and
> +assign CVE numbers to any bugfix that they identify. This
> +explains the seemingly large number of CVEs that are issued by the Linux
> +kernel team.

Does the process focus only on assigning CVE numbers to a given upstream
commit(s) withou any specifics of the actual security threat covered by
the said CVE?
--
Michal Hocko
SUSE Labs