Skip to content

Linux Kernel Policy

On this page, we detail our policy on how we deal with Linux vulnerabilities and our recommendations for users. This policy is not set in stone and we will revise it when circumstances change.

Summary

The only way to run a Linux kernel free of known security vulnerabilities is to run the latest Linux kernel version of a supported Linux release. The supported kernel releases are listed on kernel.org. CTRL-OS always includes the latest LTS kernels.

Linux is Special

The Linux kernel has a long and complicated relationship to formal vulnerability tracking. A full discussion is out of scope of this document, but one of the key arguments why the project was hesitant to issue CVEs is this:

Because Linux is at the core of everything, any Linux kernel bug may be a security vulnerability in the right circumstances.

As a result, the Linux kernel project publishes hundreds of CVEs per month, yet only a fraction is relevant to any particular use case.

In addition to the quantity of reported vulnerabilities, the process of issuing Linux kernel CVEs happens alongside normal Linux kernel development and backporting of fixes to stable releases. This means that Linux CVEs are only issued when the fix is already available in a stable release.

Updating is the Fix

With the special process of Linux vulnerabilities in mind, we have decided that the best course of action is to provide the latest Linux kernel versions in our CTRL-OS releases.

Running the latest version of a supported Linux kernel release will by definition mean that no CVE reported by the Linux kernel project applies to you. Running any older version always means that a very large number of CVEs apply to your Linux kernel version (even though only a fraction are relevant).

Linux CVEs in the Security Tracker

At the moment, we choose not to include Linux kernel CVEs in the security tracker, because from our perspective it brings little benefit to users. This policy may change.

If you have questions about this policy, face issues running the latest Linux kernels or need Linux security help tailored to your use case, please reach out.