CVE-2021-4440: A Linux CNA Case Study

Huh, this is interesting. Normally the reason to become a CNA is to reduce the amount of bogus CVEs that are issued for your project due to security researchers trying to pad their portfolio.<p>Linux seems to have taken the reverse approach, by just filing their own bogus CVEs instead. One for every bug fix going into the kernel, rendering the CVE system useless.

&gt; Despite existing for a little over four months and in that time assigning over 2000 CVEs at a faster rate than any other CNA in existence, the harm it&#x27;s single-handedly caused to the CVE ecosystem hasn&#x27;t been fully appreciated yet by the public and is mostly relegated to security teams of downstream distributions,<p>Is this related to the fact that the NIST NVD have had a huge backlog of unprocessed CVE:s since February?<p><a href="https:&#x2F;&#x2F;www.nist.gov&#x2F;itl&#x2F;nvd" rel="nofollow">https:&#x2F;&#x2F;www.nist.gov&#x2F;itl&#x2F;nvd</a>

Related LWN article from one of the kernel team members (Lee Jones):<p>How kernel CVE numbers are assigned: <a href="https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;978711&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;978711&#x2F;</a> (June 19, 2024)

&gt; Despite existing for a little over four months and in that time assigning over 2000 CVEs at a faster rate than any other CNA in existence, the harm it&#x27;s single-handedly caused to the CVE ecosystem hasn&#x27;t been fully appreciated yet by the public and is mostly relegated to security teams of downstream distributions, vulnerability management companies, and end-users who noticed recently their previously-informative distribution security advisories got replaced with auto-generated lists of hundreds of CVEs with minimal user-understandable&#x2F;actionable information.<p>Good! We have environmental CVSS scores now, use them.

(2024).<p>Assigning a CVE to every second commit and refusing to assign CVEs to unfixed issues doesn&#x27;t seem like correct usage of the CVE system. I expect that most Linux CVEs will never get a proper analysis or a CVSS rating.<p>To me it sounds plausible that the design goal of the Linux CNA is to show that CVEs don&#x27;t meaningfully apply to the Linux kernel. Given how dependent on context the impact of some kernel bugs can be, if we were assigning CVSS scores for the worst case, practically all kernel bugs would be at least a 9.8&#x2F;10.

&gt; This oversight meant that in affected kernels with the bad backport [...] not only was the MDS mitigation against the newer attacks turned into a no-op [...]<p>And this is why we write unit tests folks.