In 2019, 305 Linux kernel CVEs were published, sourced from the NIST National Vulnerability Database. Of these, 24 were rated Critical, 113 High severity , and 2 were confirmed as actively exploited in the wild (CISA KEV) . Compared to 2018's 456 CVEs, 2019 represented a decrease of 33% year-on-year. November was the most active month, with 80 CVEs published.
Monthly CVE Breakdown — 2019
CVEs published per month with severity breakdown
November (80) was the most active month in 2019. Together the top months account for a significant share of 2019's 305 total CVEs. January (7) had the lowest volume.
Severity Distribution — 2019
Breakdown across 305 CVEs
51% Medium · 37% High · 8% Critical.
Monthly Counts — 2019
CVE counts by month and severity
November was the most active month with 80 CVEs — 26% of 2019's total. January (7) had the lowest volume.
| Month | Total | Critical | High | Medium | Low | Share of year |
|---|---|---|---|---|---|---|
| January | 7 | 0 | 2 | 5 | 0 |
2%
|
| February | 19 | 1 | 10 | 8 | 0 |
6%
|
| March | 8 | 2 | 2 | 4 | 0 |
3%
|
| April | 15 | 0 | 6 | 8 | 1 |
5%
|
| May | 17 | 1 | 7 | 8 | 1 |
6%
|
| June | 12 | 1 | 8 | 3 | 0 |
4%
|
| July | 22 | 5 | 8 | 8 | 1 |
7%
|
| August | 38 | 3 | 10 | 25 | 0 |
12%
|
| September | 34 | 2 | 14 | 17 | 1 |
11%
|
| October | 12 | 1 | 5 | 1 | 5 |
4%
|
| November | 80 | 7 | 31 | 41 | 1 |
26%
|
| December | 41 | 1 | 10 | 28 | 2 |
13%
|
| Total | 305 | 24 | 113 | 156 | 12 |
Actively exploited CVEs — 2019
2 CVEs confirmed in CISA KEV catalog
All CVEs — 2019
305 CVEs
| CVE ID | Package | Severity | CVSS | Published | Description | |
|---|---|---|---|---|---|---|
| CVE-2019-10557 | linux | Critical | 9.8 | 2019-12-18 | Out-of-bound read in the wireless driver in the Linux kernel due to lack of check of buffer length. in Snapdragon Auto,… | |
| CVE-2019-14895 | linux | Critical | 9.8 | 2019-11-29 | A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell… | |
| CVE-2019-14897 | linux | Critical | 9.8 | 2019-11-29 | A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. An att… | |
| CVE-2019-14901 | linux | Critical | 9.8 | 2019-11-29 | A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip dr… | |
| CVE-2019-14896 | linux | Critical | 9.8 | 2019-11-27 | A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip d… | |
| CVE-2019-18814 | linux | Critical | 9.8 | 2019-11-07 | An issue was discovered in the Linux kernel through 5.3.9. There is a use-after-free when aa_label_parse() fails in aa_… | |
| CVE-2019-18805 | linux | Critical | 9.8 | 2019-11-07 | An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. There is a net/ipv4/tcp_input.… | |
| CVE-2019-17133 | linux | Critical | 9.8 | 2019-10-04 | In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE… | |
| CVE-2019-16746 | linux | Critical | 9.8 | 2019-09-24 | An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of v… | |
| CVE-2019-15504 | linux | Critical | 9.8 | 2019-08-23 | drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2.9 has a Double Free via crafted USB device traff… |
2019 Linux Kernel CVE Highlights
-
Monthly variation
CVE publication in 2019 was uneven across months. November was the most active with 80 CVEs. January (7) had the lowest volume. Monthly spikes typically correspond to coordinated batches of backfilled CVEs being processed at once.