Hi!
And yes, many bugs at this level (turns out about 25% of all stable commits) match that definition, which is fine. If you have a problem with this, please take it up with cve.org and their rules, but don't go making stuff up please.
You are assigning CVE for any bug. No, it is not fine, and while CVE rules may permit you to do that, it is unhelpful, because the CVE feed became useless.
Their rules _REQUIRE_ us to do this. Please realize this.
If you said that limited manpower makes you do this, that would be something to consider. Can you quote those rules?
I'd expect vulnerability description to be in english, not part of english text and part copy/paste from changelog. I'd also expect vulnerability description ... to ... well, describe the vulnerability. While changelogs describe fix being made, not the vulnerability.
Some even explain why the bug being fixed is not vulnerability at all, like this one. (Not even bug, to be exact. It is workaround for static checker).
I don't believe the rules are solely responsible for this.
(And yes, some people are trying to mitigate damage you are doing by disputing worst offenders, and process shows that quite often CVEs get assigned when they should not have been.)
Mistakes happen, we revoke them when asked, that's all we can do and it's worlds better than before when you could not revoke anything and anyone could, and would, assign random CVEs for the kernel with no way to change that.
Yes, way too many mistakes happen. And no, it is not an improvement over previous situation.
Best regards, Pavel
https://www.cve.org/CVERecord?id=CVE-2023-52472
Published: 2024-02-25 Updated: 2024-05-29 Title: Crypto: Rsa - Add A Check For Allocation Failure
Description In the Linux kernel, the following vulnerability has been resolved: crypto: rsa - add a check for allocation failure Static checkers insist that the mpi_alloc() allocation can fail so add a check to prevent a NULL dereference. Small allocations like this can't actually fail in current kernels, but adding a check is very simple and makes the static checkers happy.