In 2014, 140 Linux kernel CVEs were published, sourced from the NIST National Vulnerability Database. Of these, 0 were rated Critical, 35 High severity , and 3 were confirmed as actively exploited in the wild (CISA KEV) . Compared to 2013's 200 CVEs, 2014 represented a decrease of 30% year-on-year. November was the most active month, with 24 CVEs published.
Monthly CVE Breakdown — 2014
CVEs published per month with severity breakdown
November (24) was the most active month in 2014. Together the top months account for a significant share of 2014's 140 total CVEs. October (5) had the lowest volume.
Severity Distribution — 2014
Breakdown across 140 CVEs
62% Medium · 25% High · 0% Critical.
Monthly Counts — 2014
CVE counts by month and severity
November was the most active month with 24 CVEs — 17% of 2014's total. October (5) had the lowest volume.
| Month | Total | Critical | High | Medium | Low | Share of year |
|---|---|---|---|---|---|---|
| January | 15 | 0 | 0 | 12 | 3 |
11%
|
| February | 12 | 0 | 5 | 5 | 2 |
9%
|
| March | 10 | 0 | 4 | 4 | 2 |
7%
|
| April | 11 | 0 | 2 | 8 | 1 |
8%
|
| May | 8 | 0 | 1 | 6 | 1 |
6%
|
| June | 11 | 0 | 1 | 6 | 4 |
8%
|
| July | 10 | 0 | 1 | 8 | 1 |
7%
|
| August | 8 | 0 | 6 | 2 | 0 |
6%
|
| September | 18 | 0 | 6 | 12 | 0 |
13%
|
| October | 5 | 0 | 0 | 5 | 0 |
4%
|
| November | 24 | 0 | 5 | 18 | 1 |
17%
|
| December | 8 | 0 | 4 | 1 | 3 |
6%
|
| Total | 140 | 0 | 35 | 87 | 18 |
Actively exploited CVEs — 2014
3 CVEs confirmed in CISA KEV catalog
All CVEs — 2014
140 CVEs
| CVE ID | Package | Severity | CVSS | Published | Description | |
|---|---|---|---|---|---|---|
| CVE-2014-2523 | linux | High | 10.0 | 2014-03-24 | net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, whic… | |
| CVE-2014-0100 | linux | High | 9.3 | 2014-03-11 | Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows r… | |
| CVE-2013-4737 | linux | High | 9.3 | 2014-02-15 | The CONFIG_STRICT_MEMORY_RWX implementation for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Andr… | |
| CVE-2013-2597 | linux | High KEV | 8.4 | 2014-08-31 | Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.… | |
| CVE-2014-9322 | linux | High | 7.8 | 2014-12-17 | arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack … | |
| CVE-2014-7825 | linux | High | 7.8 | 2014-11-10 | kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers durin… | |
| CVE-2014-7826 | linux | High | 7.8 | 2014-11-10 | kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers durin… | |
| CVE-2014-8369 | linux | High | 7.8 | 2014-11-10 | The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pag… | |
| CVE-2014-7145 | linux | High | 7.8 | 2014-09-28 | The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a den… | |
| CVE-2014-6416 | linux | High | 7.8 | 2014-09-28 | Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, allows remote attackers to cau… |
2014 Linux Kernel CVE Highlights
-
Volume without critical severity
Despite high CVE volume, 2014 produced only 0 Critical-rated vulnerabilities. 62% of 2014 CVEs are Medium severity. This means the surge in raw numbers does not represent a proportional surge in high-severity risk.
-
Monthly variation
CVE publication in 2014 was uneven across months. November was the most active with 24 CVEs. October (5) had the lowest volume. Monthly spikes typically correspond to coordinated batches of backfilled CVEs being processed at once.