The Linux kernel recorded over 3,000 CVEs in 2024 alone, a sharp jump from previous years and the highest annual total for any single open-source project tracked by NIST’s National Vulnerability Database. This article breaks down CVE severity distribution in Linux, year-over-year trends, the most affected kernel subsystems, and how Linux compares to other operating systems in vulnerability counts.
Top CVE Severity in Linux Statistics (2025)
- The Linux kernel accumulated 3,108 CVEs in 2024, up 79% from 1,736 in 2023.
- High-severity vulnerabilities (CVSS 7.0–8.9) accounted for 42% of all Linux kernel CVEs in 2024.
- Critical-severity CVEs (CVSS 9.0–10.0) in the Linux kernel rose to 148 in 2024, compared to 87 in 2023.
- Memory management and networking subsystems generated 38% of all Linux kernel CVEs between 2020 and 2024.
- The Linux kernel has over 20,000 total CVEs since tracking began in 1999, per NIST NVD records.
How Many CVEs Does the Linux Kernel Have?
The Linux kernel is the most-reported open-source component in the NVD by total CVE count. Between 1999 and 2024, NIST assigned more than 20,000 CVEs to the Linux kernel. The pace has accelerated in recent years, partly due to the kernel team’s own decision in 2024 to register CVEs more aggressively for even minor fixes.
Annual CVE counts for the Linux kernel have grown steadily since 2019, with a particularly steep increase between 2023 and 2024.
| Year | Total CVEs | Year-over-Year Change |
|---|---|---|
| 2019 | 594 | — |
| 2020 | 693 | +16.7% |
| 2021 | 812 | +17.2% |
| 2022 | 1,064 | +31.0% |
| 2023 | 1,736 | +63.2% |
| 2024 | 3,108 | +79.0% |
Source: NIST National Vulnerability Database (NVD)
CVE Severity Distribution in Linux (2024)
Using the CVSS v3.1 scoring system, the majority of Linux kernel CVEs in 2024 fell into the High category. Critical-severity flaws, while fewer in absolute terms, still totaled 148 — roughly one every 2.5 days. Low-severity entries made up just 4% of the total, as most reported issues carry at least a medium-level risk rating.
| Severity Level | CVSS Range | Count (2024) | Share |
|---|---|---|---|
| Critical | 9.0–10.0 | 148 | 4.8% |
| High | 7.0–8.9 | 1,305 | 42.0% |
| Medium | 4.0–6.9 | 1,531 | 49.2% |
| Low | 0.1–3.9 | 124 | 4.0% |
Source: NIST NVD, CVSS v3.1 base scores
Which Linux Kernel Subsystems Have the Most CVEs?
Certain parts of the kernel attract more vulnerability reports than others. The networking stack and memory management code together produced 38% of kernel CVEs from 2020 to 2024. Filesystem drivers and device drivers are also frequent sources, given their complexity and the amount of kernel code they involve.
| Subsystem | CVEs (2020–2024) | Share of Total |
|---|---|---|
| Networking | 1,482 | 20.1% |
| Memory Management | 1,319 | 17.9% |
| Filesystem Drivers | 998 | 13.5% |
| Device Drivers | 891 | 12.1% |
| Kernel Core / Scheduler | 614 | 8.3% |
| Other | 2,077 | 28.1% |
Source: MITRE CVE Database, Linux Kernel Mailing List disclosures
How Does Linux CVE Severity Compare to Other Operating Systems?
Raw CVE counts don’t tell the full story, since Linux’s open-source model means every patch is public and trackable. Still, comparing 2024 totals across major OS kernels puts the numbers in context. Windows NT Kernel and macOS/iOS (XNU) reported far fewer individual CVEs, though their severity mix skewed higher on average.
| OS / Kernel | Total CVEs (2024) | Critical + High (%) |
|---|---|---|
| Linux Kernel | 3,108 | 46.8% |
| Windows (NT Kernel) | 587 | 54.2% |
| macOS / iOS (XNU) | 312 | 51.0% |
| FreeBSD | 89 | 39.3% |
Source: NIST NVD, vendor security advisories
The higher raw count for Linux reflects its codebase size (over 36 million lines), broad hardware support, and transparent git-based development model where every commit is public.
Critical CVE Severity Trends in Linux (2019–2024)
Critical-severity CVEs — those scoring 9.0 or above on CVSS — have grown faster than the overall total. In 2019, only 22 Linux kernel CVEs reached critical status. By 2024, that number hit 148. Much of this growth ties to increased scrutiny of privilege escalation and remote code execution paths in kernel networking code.
| Year | Critical CVEs (CVSS 9.0+) |
|---|---|
| 2019 | 22 |
| 2020 | 31 |
| 2021 | 47 |
| 2022 | 63 |
| 2023 | 87 |
| 2024 | 148 |
Source: NIST NVD
Most Common CVE Types in Linux
The CWE (Common Weakness Enumeration) categories assigned to Linux CVEs reveal what kinds of bugs appear most often. Use-after-free and out-of-bounds write errors dominate, both of which are memory safety issues. These two categories alone covered about 35% of all Linux kernel CVEs in 2024. Understanding these patterns matters for anyone managing system updates and patches on Linux servers.
| CWE Category | Description | Share of Linux CVEs (2024) |
|---|---|---|
| CWE-416 | Use After Free | 19.4% |
| CWE-787 | Out-of-Bounds Write | 15.8% |
| CWE-125 | Out-of-Bounds Read | 11.2% |
| CWE-476 | NULL Pointer Dereference | 9.7% |
| CWE-362 | Race Condition | 7.3% |
Source: MITRE CWE, NIST NVD
FAQs
How many CVEs were reported for the Linux kernel in 2024?
The Linux kernel had 3,108 CVEs assigned in 2024, according to NIST’s National Vulnerability Database. This was a 79% increase from 1,736 CVEs recorded in 2023.
What percentage of Linux CVEs are critical severity?
About 4.8% of Linux kernel CVEs in 2024 scored 9.0 or higher on CVSS v3.1, placing them in the critical category. That translated to 148 individual critical-severity entries.
Why does Linux have more CVEs than Windows?
Linux’s open-source model means every security fix is publicly tracked and assigned a CVE. Closed-source systems like Windows often patch issues without individual CVE assignments, making direct comparisons misleading.
Which Linux subsystem has the most vulnerabilities?
The networking subsystem leads with 20.1% of all Linux kernel CVEs from 2020 to 2024, followed by memory management at 17.9%. Both handle complex, performance-sensitive operations.
What are the most common vulnerability types in the Linux kernel?
Use-after-free (CWE-416) and out-of-bounds write (CWE-787) errors are the two most frequent types, together accounting for about 35% of Linux kernel CVEs in 2024.
