When Linux stable maintainer Greg Kroah-Hartman posted the first-half-2026 CVE statistics to social.kernel.org, the headline number was striking: Linux led every other vendor by a wide margin. But his point wasn’t that Linux is the least secure software on the planet — it was that raw CVE counts are a terrible way to measure security, and Linux tops the list precisely because it’s the most transparent.
Table of Contents
The Numbers
Sorted by vendor, the CVEs issued in the first six months of 2026 looked like this:
| Count | Vendor |
|---|---|
| 2,308 | Linux |
| 1,752 | |
| 1,308 | n/a |
| 843 | Microsoft |
| 495 | OpenClaw |
| 445 | Oracle |
| 395 | Adobe |
| 340 | Red Hat |
| 310 | Apache |
| 284 | Apple |
Broken down by product — which sidesteps the issue of one vendor spanning many codebases — Linux still led with 2,309, ahead of Chrome (1,584), OpenClaw (497), Windows 10 Version 1607 (284), Firefox (255), and Android (153).
Greg wryly noted he’d have to rewrite the part of his conference talk where he says “we’re #2,” since that’s “not the case by far anymore.”
Why the Count Is Misleading
The crucial context is how different organizations decide what becomes a CVE. Commercial vendors like Apple and Microsoft typically only report issues they judge to be “high” severity. The Linux kernel project does the opposite: because it can’t control how its code is deployed, it assigns a CVE to essentially every security-relevant fix — reasoning that severity is nearly impossible to judge correctly when you don’t know the downstream use case.
In other words, Linux’s chart-topping number reflects a policy of full disclosure, not an epidemic of bugs. Comparing it directly against vendors who publish only their worst findings is fundamentally apples-to-oranges.
“CVEmaxxing” and the OpenClaw Surprise
The thread also produced a bit of instant jargon. A commenter described the newcomer OpenClaw — which racked up ~495 CVEs despite a codebase of only ~382,000 lines — as engaging in “CVEmaxxing,” a term Greg immediately said he’d “steal for my next talk.” He repeatedly praised OpenClaw for documenting all of its issues rather than cherry-picking, calling it a model other vendors should follow.
The WordPress Footnote
WordPress’s apparent absence from the list sparked a side discussion. Greg first assumed WordPress had simply stopped reporting, then corrected himself: WordPress properly attributes plugin vulnerabilities to the plugin’s vendor rather than lumping them under its own name. Most of those plugin CVEs are actually issued by Wordfence, a WordPress-security firm unaffiliated with WordPress core.
The Takeaway
Greg’s central message is one security professionals should internalize: a high CVE count can be a sign of health, not weakness. Projects that transparently document every fix will always look “worse” on a raw leaderboard than vendors who quietly patch and report only the headline-grabbing flaws. All the underlying data is public, and Greg encourages anyone to run their own queries against the CVE Project’s JSON dataset.




