Linux Tops 2026 CVE Charts, Greg KH Says That’s a Good Thing

Greg Kroah-Hartman says Linux leads CVE counts for the first half of 2026, arguing the numbers reflect responsible reporting, not poor security.

Linux is currently leading the CVE charts for the first half of 2026, and Greg Kroah-Hartman seems perfectly fine with that. In a post on social.kernel.org, the longtime Linux kernel maintainer shared CVE issue statistics for the first six months of the year, sorted by vendor.

According to the numbers he posted, Linux sits at the top with 2,308 CVEs, followed by Google with 1,752, “n/a” with 1,308, Microsoft with 843, OpenClaw with 495, Oracle Corporation with 445, Adobe with 395, Red Hat with 340, Apache Software Foundation with 310, and Apple with 284.

Linux Is Now #1 in CVE Reporting
Linux Is Now #1 in CVE Reporting

Understandably, that may sound alarming at first glance, especially for anyone used to reading CVE counts as a rough measure of how “insecure” a product or vendor is. However, Greg KH’s point is almost the opposite: the high number is being presented as a sign of more complete and responsible vulnerability reporting.

I gotta change my talk where I say ‘we are #2’ as that’s not the case by far anymore,” he wrote, adding that he hopes other vendors “get their act together” and start properly reporting all CVEs to the system, rather than only the ones they choose to submit.

The follow-up discussion is even more interesting. When the comparison by vendor was questioned, Greg noted that companies such as Google and Microsoft cover many different software products, so a vendor-level comparison is not always ideal.

He then shared a second list sorted by product, where Linux still comes out on top with 2,309 CVEs, followed by Chrome with 1,584, “n/a” with 888, OpenClaw with 497, Windows 10 Version 1607 with 284, Firefox with 255, Android with 153, AVideo with 141, Red Hat Enterprise Linux 10 with 136, and iOS and iPadOS with 124.

Again, the explanation matters more than the raw ranking. Greg said that vendors like Apple, Microsoft, and others report only the issues they classify as “high” to CVE, while open-source projects often have to report everything because they cannot know how their code is used downstream.

And that is a key point for Linux users. The Linux kernel is not a single consumer product used in one predictable way. It runs across billions of servers, desktops, phones, embedded devices, routers, industrial systems, cloud infrastructure, and countless specialized environments. A bug that appears low-impact in one setup may matter much more in another.

So, rather than treating the number as a simple “Linux has more security problems” headline, it is better understood as a reflection of the kernel project’s increasingly systematic CVE handling. More reporting can make the numbers look worse, but it also gives distributions, vendors, administrators, and users a clearer view of what has been fixed and what still needs attention.

For those who want to check the data themselves, here’s the CVE Project’s public cvelistV5 repository, which provides the information as searchable JSON and lets anyone run their own queries and compare results by vendor, product, CNA, or other fields.

In conclusion, to put it simply: Linux leading the CVE charts is not necessarily bad news. It is just always being more transparent than many commercial vendors. And, namely, that transparency can make Linux look noisier inside vulnerability databases. However, in security, uncomfortable numbers are often more useful than quiet gaps.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Leave a Reply

Your email address will not be published. Required fields are marked *