Nah, "removing CNA" = "let any security researcher decide what kernel vulnerability is"
And unfortunately, there are plenty of security researchers who are only interested in personal CVE counts, and will try to assign highest priority to a mostly harmless bug.
They do number it.. in fact once they become CNA in 2024, the amount of kernel CVE's has increased almost 10x (see [0])
They just stopped assigning priorities/impact scores to them, because "A simple bugfix for a minor thing for one user could be a major system vulnerability fix for a different user, all depending on how Linux is being used"
(For an example of why having severity rating on CVE is a bad idea, see Redhat's treatment of CVE-2025-68343[1] - they gave "high", score 7. Many security teams in large corps would require a quick patch/kernel upgrade. And yes, this is a null-pointer dereference in a single USB device driver. Even if this is exploitable (which I am not sure about), this driver is _never_ going to be loaded into any our cloud machines, so most of our infra is not affected).
Nah, "removing CNA" = "let any security researcher decide what kernel vulnerability is"
And unfortunately, there are plenty of security researchers who are only interested in personal CVE counts, and will try to assign highest priority to a mostly harmless bug.
but keeping the CNA and decide, "nah, i wont number it" instead?
They do number it.. in fact once they become CNA in 2024, the amount of kernel CVE's has increased almost 10x (see [0])
They just stopped assigning priorities/impact scores to them, because "A simple bugfix for a minor thing for one user could be a major system vulnerability fix for a different user, all depending on how Linux is being used"
(For an example of why having severity rating on CVE is a bad idea, see Redhat's treatment of CVE-2025-68343[1] - they gave "high", score 7. Many security teams in large corps would require a quick patch/kernel upgrade. And yes, this is a null-pointer dereference in a single USB device driver. Even if this is exploitable (which I am not sure about), this driver is _never_ going to be loaded into any our cloud machines, so most of our infra is not affected).
[0] https://www.cvedetails.com/product/47/Linux-Linux-Kernel.htm...
[1] https://access.redhat.com/security/cve/cve-2025-68343