My prior post showed my research from earlier in the year at the 2016 Linux Security Summit on kernel security flaw lifetimes. Now that CVE-2016-5195 is public, here are updated graphs and statistics. Due to their rarity, the Critical bug average has now jumped from 3.3 years to 5.2 years. There aren’t many, but, as I mentioned, they still exist, whether you know about them or not. CVE-2016-5195 was sitting on everyone’s machine when I gave my LSS talk, and there are still other flaws on all our Linux machines right now. (And, I should note, this problem is not unique to Linux.) Dealing with knowing that there are always going to be bugs present requires proactive kernel self-protection (to minimize the effects of possible flaws) and vendors dedicated to updating their devices regularly and quickly (to keep the exposure window minimized once a flaw is widely known).
So, here are the graphs updated for the 668 CVEs known today:
- Critical: 3 @ 5.2 years average
- High: 44 @ 6.2 years average
- Medium: 404 @ 5.3 years average
- Low: 216 @ 5.5 years average
© 2016, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.