CVE Severity Distribution For Linux Statistics 2026
CVE Severity Distribution For Linux Statistics 2026
Publish Date: 2026-02-27 14:38:00
Source Domain: commandlinux.com
The Linux kernel recorded over 3,000 CVEs in 2024 alone, a sharp jump from previous years and the highest annual total for any single open-source project tracked by NIST’s National Vulnerability Database. This article breaks down CVE severity distribution in Linux, year-over-year trends, the most affected kernel subsystems, and how Linux compares to other operating systems in vulnerability counts.
Top CVE Severity in Linux Statistics (2025)
- The Linux kernel accumulated 3,108 CVEs in 2024, up 79% from 1,736 in 2023.
- High-severity vulnerabilities (CVSS 7.0–8.9) accounted for 42% of all Linux kernel CVEs in 2024.
- Critical-severity CVEs (CVSS 9.0–10.0) in the Linux kernel rose to 148 in 2024, compared to 87 in 2023.
- Memory management and networking subsystems generated 38% of all Linux kernel CVEs between 2020 and 2024.
- The Linux kernel has over 20,000 total CVEs since tracking began in 1999, per NIST NVD records.
How Many CVEs Does the Linux Kernel Have?
The Linux kernel is the most-reported open-source component in the NVD by total CVE count. Between 1999 and 2024, NIST assigned more than 20,000 CVEs to the Linux kernel. The pace has accelerated in recent years, partly due to the kernel team’s own decision in 2024 to register CVEs more aggressively for even minor fixes.
Annual CVE counts for the Linux kernel have grown steadily since 2019, with a particularly steep increase between 2023 and 2024.
| Year | Total CVEs | Year-over-Year Change |
|---|---|---|
| 2019 | 594 | — |
| 2020 | 693 | +16.7% |
| 2021 | 812 | +17.2% |
| 2022 | 1,064 | +31.0% |
| 2023 | 1,736 | +63.2% |
| 2024 | 3,108 | +79.0% |
Source: NIST National Vulnerability Database (NVD)
CVE Severity Distribution in Linux (2024)
Using the CVSS v3.1 scoring system, the majority of Linux kernel CVEs in 2024 fell into the High category. Critical-severity flaws, while fewer in absolute terms, still totaled 148 — roughly one every 2.5 days. Low-severity entries made up just 4% of the total, as most reported issues carry at least a medium-level risk…
