This repository contains a list of assessments for Common Vulnerabilities and Exposures (CVEs) issued by the kernel.org CNA. Anyone is welcome to submit analysis to the linux-cve-analysis project, and those analysis will be reviewed by the Linux CVE Workgroup.
The linux-cve-analysis project aims to be used as an amendment to and not a replacement for the kernel.org vulns.git repository. Because it's an amendment to that repo, information which is already present in vulns.git such as files affected and fixed or broken commits are not included in this repo.
The Workgroup's objective is to let engineers from different companies come together and collaborate on CVE analysis, rather than having them work in isolation. With the Linux kernel becoming a CNA, the volume of CVEs has increased significantly, and the community showed interest in having an intermediate layer between the linux-cve-announce mailing list, and downstream vulnerability ingestors.
List of the CVEs published by the kernel CNA: All assessments are generated by the Linux CVE Workgroup. kernel-CVEs
All CVEs are analyzed in separate files, under the vulns/ folder. The format for the analysis is a set of labels expressed in a YML file, with a structure documented in template.yml. This is inspired by the cip-project, but aims at being more technical-oriented.
The audience for the linux-cve-analysis project is human reviewers who are responsible for determining subjective and use-case-specific determinations about those vulnerabilities.
While the impact of a particular vulnerability will vary based on how the kernel is being used, we have found that there is factual, objective information which describes the effect of code defects and is generic across use cases. This project seeks to compile those factual, objective descriptions while avoiding vendor-specific or subjective evaluations of those vulnerabilities. Inclusion of subjective or use-case specific analysis is generally discouraged but may be included in the Notes field. CVSS Scores are considered use-case specific and therefore discouraged for this repo.
The following guidelines may be helpful in filling out the template.yml description:
- Strict adherence to the yaml format is not required, but following the template is generally encouraged.
- Any field may be left blank
- Use the Notes field for information which does not otherwise fit the template
- Inclusion of use-case or implementation specific analysis is reserved for the Notes field
template.yml includes a field for versioning. Versioning should be incremented when non-compatible changes are introduced to the template; the version number will not change if template updates are otherwise compatible. When the template versioning increases, it is expected that newer reviews will use the updated template; existing reviews should only be updated to the newer format if new information is available.
The group is open and anyone can join and help, either with CVE assessments, reviews, or feedback. Feel free to join the #linux-cve-workgroup IRC channel on libera.chat, to get in touch.
Simply push your assessment files to the repository. Should there be any merge conflict, please resolve it taking into account what the previous analyzer wrote.
The use of LLMs or similar automated tools for generating assessments is not encouraged. Assessments should be manually analyzed and reviewed to maintain accuracy and consistency. Any use of automated tools should be proposed and approved via workgroup.