The Linux kernel project recently announced that it has been accepted as a CVE Numbering Authority (CNA) for vulnerabilities found in Linux.

The move follows a “trend of more open source projects taking over the haphazard assignments of CVEs against their project by becoming a CNA so that no other group can assign CVEs without their involvement, says Greg Kroah-Hartman in the announcement.

The full implications of this change are not immediately clear; however, in a recent blog post, Jonathan Corbet provided further information.

“The key to how this is going to work, he says, can be found in this patch to the kernel's documentation”:
Due to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team is overly cautious and assigns CVE numbers to any bugfix that they identify. This explains the seemingly large number of CVEs that are issued by the Linux kernel team.

What this means, Corbet says, “is that anything that looks like a bug fix – meaning many of the changes that find their way into the stable kernel updates – will have a CVE number assigned to it.” Such bug fixes can number in the tens of thousands, he notes. “Not all of these patches will get CVE numbers, but many will. So there are going to be a lot of CVE numbers assigned to the kernel in the coming years.”

Read more at LWN.