YYaaa News

Linux Kernel Tops 2026 CVE Charts — 2,308 Bugs, and Maintainer Greg KH Says That's Good News

TL;DR

Linux kernel tops H1 2026 CVE charts with 2,308 disclosures ahead of Google's 1,752; maintainer Greg KH says the number is a transparency signal, not a security one.

The Linux kernel topped the vendor-level CVE rankings for the first half of 2026 with 2,308 disclosures, ahead of Google's 1,752. The counts were posted by longtime stable-kernel maintainer Greg Kroah-Hartman on social.kernel.org, broken down by vendor and by product.

The pivot came in February 2024, when the Linux kernel became its own CVE Numbering Authority (CNA) and adopted a "a bug is a bug" policy — every backported fix in a stable release now gets a CVE, instead of vendors and researchers cherry-picking which flaws are worth disclosing. Kernel CVE volume jumped roughly 10x overnight after the switch.

Kroah-Hartman drew the contrast directly. Most commercial vendors publish only what they internally classify as significant, which keeps their totals tidy without necessarily reflecting fewer fixes. The kernel now publishes every fix, so "CVE count is a transparency metric, not a security metric." He noted he has to update the line in his old talks where he described Linux as trailing other vendors in CVE volume — that framing no longer holds.

The shift has a real operational cost. Kernel advisories used to run a few hundred a year; the first half of 2026 alone produced 2,308, most carrying CNA-filled "N/A" or low CVSS scores, forcing downstream distributions (Red Hat, SUSE, Debian) to re-triage impact. A January 2026 arXiv paper concludes kernel CVE severity labels have "largely lost meaning — only recency still carries signal."

Greg KH's line for the headline readers: "Linux CVE #1 globally" looks bad only if you forget it just means one open-source project registers every bug in public while closed-source vendors keep picking and choosing.

via Linuxiac / PBX Science / LWN on kernel CVE assignment / arXiv 2601.22196
Linux 首次登頂 CVE 榜|2,308 個漏洞壓過 Google,維護者說這是好事