In 2023, 293 Linux kernel CVEs were published, sourced from the NIST National Vulnerability Database. Of these, 7 were rated Critical, 134 High severity , and 2 were confirmed as actively exploited in the wild (CISA KEV) . Compared to 2022's 318 CVEs, 2023 represented a decrease of 8% year-on-year. March was the most active month, with 45 CVEs published.
Monthly CVE Breakdown — 2023
CVEs published per month with severity breakdown
March (45) was the most active month in 2023. Together the top months account for a significant share of 2023's 293 total CVEs. December (11) had the lowest volume.
Severity Distribution — 2023
Breakdown across 293 CVEs
50% Medium · 46% High · 2% Critical. 2 CVEs (1%) still awaiting NVD scoring.
Monthly Counts — 2023
CVE counts by month and severity
March was the most active month with 45 CVEs — 15% of 2023's total. December (11) had the lowest volume.
| Month | Total | Critical | High | Medium | Low | Share of year |
|---|---|---|---|---|---|---|
| January | 19 | 0 | 10 | 9 | 0 |
6%
|
| February | 17 | 0 | 8 | 9 | 0 |
6%
|
| March | 45 | 0 | 23 | 20 | 2 |
15%
|
| April | 43 | 0 | 17 | 26 | 0 |
15%
|
| May | 20 | 0 | 7 | 13 | 0 |
7%
|
| June | 31 | 0 | 17 | 14 | 0 |
11%
|
| July | 39 | 7 | 19 | 13 | 0 |
13%
|
| August | 14 | 0 | 4 | 10 | 0 |
5%
|
| September | 20 | 0 | 12 | 5 | 1 |
7%
|
| October | 18 | 0 | 6 | 12 | 0 |
6%
|
| November | 16 | 0 | 5 | 11 | 0 |
5%
|
| December | 11 | 0 | 6 | 5 | 0 |
4%
|
| Total | 293 | 7 | 134 | 147 | 3 |
Actively exploited CVEs — 2023
2 CVEs confirmed in CISA KEV catalog
All CVEs — 2023
293 CVEs
| CVE ID | Package | Severity | CVSS | Published | Description | |
|---|---|---|---|---|---|---|
| CVE-2023-4881 | linux | Awaiting NVD | — | 2023-09-11 | Rejected reason: CVE-2023-4881 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux ke… | |
| CVE-2023-4705 | linux | Awaiting NVD | — | 2023-09-06 | Rejected reason: CVE-2023-4705 was wrongly assigned to a bug that was deemed to be a non-security issue by the Linux ke… | |
| CVE-2023-38427 | linux | Critical | 9.8 | 2023-07-18 | An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and… | |
| CVE-2023-38429 | linux | Critical | 9.8 | 2023-07-18 | An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in mem… | |
| CVE-2023-38428 | linux | Critical | 9.1 | 2023-07-18 | An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserN… | |
| CVE-2023-38426 | linux | Critical | 9.1 | 2023-07-18 | An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an out-of-bounds read in smb2_find_context_vals whe… | |
| CVE-2023-38431 | linux | Critical | 9.1 | 2023-07-18 | An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/connection.c in ksmbd does not validate the rel… | |
| CVE-2023-38430 | linux | Critical | 9.1 | 2023-07-18 | An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading … | |
| CVE-2023-38432 | linux | Critical | 9.1 | 2023-07-18 | An issue was discovered in the Linux kernel before 6.3.10. fs/smb/server/smb2misc.c in ksmbd does not validate the rela… | |
| CVE-2023-5178 | linux | High | 8.8 | 2023-11-01 | A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug … |
2023 Linux Kernel CVE Highlights
-
Large backlog awaiting NVD scoring
2 of 2023's CVEs (1%) are still listed as "Awaiting NVD" — meaning no CVSS score has been assigned yet. This is typical for bulk-published CVEs from the Linux kernel CNA: the kernel team publishes CVEs rapidly, and NVD scoring lags by weeks or months.
-
Monthly variation
CVE publication in 2023 was uneven across months. March was the most active with 45 CVEs. December (11) had the lowest volume. Monthly spikes typically correspond to coordinated batches of backfilled CVEs being processed at once.