In 2013, 200 Linux kernel CVEs were published, sourced from the NIST National Vulnerability Database. Of these, 1 was rated Critical, 21 High severity , and 3 were confirmed as actively exploited in the wild (CISA KEV) . Compared to 2012's 114 CVEs, 2013 represented an increase of 75% year-on-year. March was the most active month, with 40 CVEs published.
Monthly CVE Breakdown — 2013
CVEs published per month with severity breakdown
March (40) was the most active month in 2013. Together the top months account for a significant share of 2013's 200 total CVEs. October (3) had the lowest volume.
Severity Distribution — 2013
Breakdown across 200 CVEs
66% Medium · 10% High · 0% Critical.
Monthly Counts — 2013
CVE counts by month and severity
March was the most active month with 40 CVEs — 20% of 2013's total. October (3) had the lowest volume.
| Month | Total | Critical | High | Medium | Low | Share of year |
|---|---|---|---|---|---|---|
| January | 5 | 0 | 0 | 4 | 1 |
2%
|
| February | 24 | 0 | 1 | 19 | 4 |
12%
|
| March | 40 | 0 | 1 | 15 | 24 |
20%
|
| April | 26 | 0 | 3 | 21 | 2 |
13%
|
| May | 4 | 0 | 2 | 1 | 1 |
2%
|
| June | 22 | 1 | 4 | 11 | 6 |
11%
|
| July | 15 | 0 | 2 | 10 | 3 |
8%
|
| August | 4 | 0 | 1 | 3 | 0 |
2%
|
| September | 19 | 0 | 2 | 15 | 2 |
10%
|
| October | 3 | 0 | 0 | 3 | 0 |
2%
|
| November | 26 | 0 | 4 | 22 | 0 |
13%
|
| December | 12 | 0 | 1 | 8 | 3 |
6%
|
| Total | 200 | 1 | 21 | 132 | 46 |
Actively exploited CVEs — 2013
3 CVEs confirmed in CISA KEV catalog
All CVEs — 2013
200 CVEs
| CVE ID | Package | Severity | CVSS | Published | Description | |
|---|---|---|---|---|---|---|
| CVE-2011-1180 | linux | Critical | 9.8 | 2013-06-08 | Multiple stack-based buffer overflows in the iriap_getvaluebyclass_indication function in net/irda/iriap.c in the Linux… | |
| CVE-2013-6282 | linux | High KEV | 8.8 | 2013-11-20 | The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not… | |
| CVE-2013-2094 | linux | High KEV | 8.4 | 2013-05-14 | The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data … | |
| CVE-2013-2850 | linux | High | 7.9 | 2013-06-07 | Heap-based buffer overflow in the iscsi_add_notunderstood_response function in drivers/target/iscsi/iscsi_target_parame… | |
| CVE-2013-4247 | linux | High | 7.8 | 2013-08-25 | Off-by-one error in the build_unc_path_to_root function in fs/cifs/connect.c in the Linux kernel before 3.9.6 allows re… | |
| CVE-2013-1943 | linux | High | 7.8 | 2013-07-16 | The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocatio… | |
| CVE-2013-1059 | linux | High | 7.8 | 2013-07-08 | net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointe… | |
| CVE-2013-2017 | linux | High | 7.8 | 2013-05-03 | The veth (aka virtual Ethernet) driver in the Linux kernel before 2.6.34 does not properly manage skbs during congestio… | |
| CVE-2013-2596 | linux | High KEV | 7.8 | 2013-04-13 | Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certai… | |
| CVE-2011-2482 | linux | High | 7.5 | 2013-06-08 | A certain Red Hat patch to the sctp_sock_migrate function in net/sctp/socket.c in the Linux kernel before 2.6.21, as us… |
2013 Linux Kernel CVE Highlights
-
Volume without critical severity
Despite high CVE volume, 2013 produced only 1 Critical-rated vulnerability. 66% of 2013 CVEs are Medium severity. This means the surge in raw numbers does not represent a proportional surge in high-severity risk.
-
Monthly variation
CVE publication in 2013 was uneven across months. March was the most active with 40 CVEs. October (3) had the lowest volume. Monthly spikes typically correspond to coordinated batches of backfilled CVEs being processed at once.