This repository contains a list of assessments for Common Vulnerabilities and Exposures (CVEs) issued by the kernel.org CNA. All assessments are generated by the Linux CVE Workgroup.
List of CVEs published by the kernel.org CNA: kernel-CVEs
The Workgroup's objective is to let engineers from different companies come together and collaborate on CVE analysis, rather than having them work in isolation. With the Linux kernel becoming a CNA, the volume of CVEs has increased significantly, and the community showed interest in having an intermediate layer between the linux-cve-announce mailing list, and downstream vulnerability ingestors.
The group is open and anyone can join and help, either with CVE assessments, reviews, or feedback. Feel free to join the #linux-cve-workgroup IRC channel on libera.chat, to get in touch.
All CVEs are analyzed in separate files, under the vulns/ folder. The format for the analysis is a set of labels expressed in a YML file, with a structure documented in template.yml. This is inspired by the cip-project, but aims at being more technical-oriented.
Simply push your assessment files to the repository. Should there be any merge conflict, please resolve it taking into account what the previous analyzer wrote.
Important Note: The use of LLMs or similar automated tools for generating assessments is not encouraged. Assessments should be manually analyzed and reviewed to maintain accuracy and consistency.