In 2012, 114 Linux kernel CVEs were published, sourced from the NIST National Vulnerability Database. Of these, 1 was rated Critical, 23 High severity . Compared to 2011's 84 CVEs, 2012 represented an increase of 36% year-on-year. June was the most active month, with 40 CVEs published.
Monthly CVE Breakdown — 2012
CVEs published per month with severity breakdown
June (40) was the most active month in 2012. Together the top months account for a significant share of 2012's 114 total CVEs. February (3) had the lowest volume.
Severity Distribution — 2012
Breakdown across 114 CVEs
60% Medium · 20% High · 1% Critical.
Monthly Counts — 2012
CVE counts by month and severity
June was the most active month with 40 CVEs — 35% of 2012's total. February (3) had the lowest volume.
| Month | Total | Critical | High | Medium | Low | Share of year |
|---|---|---|---|---|---|---|
| January | 8 | 0 | 1 | 3 | 4 |
7%
|
| February | 3 | 0 | 1 | 2 | 0 |
3%
|
| May | 36 | 1 | 10 | 25 | 0 |
32%
|
| June | 40 | 0 | 6 | 21 | 13 |
35%
|
| July | 5 | 0 | 1 | 4 | 0 |
4%
|
| August | 4 | 0 | 2 | 2 | 0 |
4%
|
| October | 11 | 0 | 2 | 6 | 3 |
10%
|
| December | 7 | 0 | 0 | 5 | 2 |
6%
|
| Total | 114 | 1 | 23 | 68 | 22 |
All CVEs — 2012
114 CVEs
| CVE ID | Package | Severity | CVSS | Published | Description | |
|---|---|---|---|---|---|---|
| CVE-2011-3188 | linux | Critical | 9.1 | 2012-05-24 | The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate seque… | |
| CVE-2011-3191 | linux | High | 8.8 | 2012-05-24 | Integer signedness error in the CIFSFindNext function in fs/cifs/cifssmb.c in the Linux kernel before 3.1 allows remote… | |
| CVE-2012-3412 | linux | High | 7.8 | 2012-10-03 | The sfc (aka Solarflare Solarstorm) driver in the Linux kernel before 3.2.30 allows remote attackers to cause a denial … | |
| CVE-2012-2744 | linux | High | 7.8 | 2012-08-09 | net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel before 2.6.34, when the nf_conntrack_ipv6 module is enabled… | |
| CVE-2011-4913 | linux | High | 7.8 | 2012-06-21 | The rose_parse_ccitt function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 does not validate the FAC_CCITT… | |
| CVE-2012-0044 | linux | High | 7.8 | 2012-05-17 | Integer overflow in the drm_mode_dirtyfb_ioctl function in drivers/gpu/drm/drm_crtc.c in the Direct Rendering Manager (… | |
| CVE-2012-1097 | linux | High | 7.8 | 2012-05-17 | The regset (aka register set) feature in the Linux kernel before 3.2.10 does not properly handle the absence of .get an… | |
| CVE-2011-2525 | linux | High | 7.8 | 2012-02-02 | The qdisc_notify function in net/sched/sch_api.c in the Linux kernel before 2.6.35 does not prevent tc_fill_qdisc funct… | |
| CVE-2012-3400 | linux | High | 7.6 | 2012-10-03 | Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allow… | |
| CVE-2011-1493 | linux | High | 7.5 | 2012-06-21 | Array index error in the rose_parse_national function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 allows … |
2012 Linux Kernel CVE Highlights
-
Volume without critical severity
Despite high CVE volume, 2012 produced only 1 Critical-rated vulnerability. 60% of 2012 CVEs are Medium severity. This means the surge in raw numbers does not represent a proportional surge in high-severity risk.
-
Monthly variation
CVE publication in 2012 was uneven across months. June was the most active with 40 CVEs. February (3) had the lowest volume. Monthly spikes typically correspond to coordinated batches of backfilled CVEs being processed at once.