Linux Tops the 2026 CVE Charts — and Greg K-H Says That’s a Good Thing

When Linux stable maintainer Greg Kroah-Hartman posted the first-half-2026 CVE statistics to social.kernel.org, the headline number was striking: Linux led every other vendor by a wide margin. But his point wasn’t that Linux is the least secure software on the planet — it was that raw CVE counts are a terrible way to measure security, and Linux tops the list precisely because it’s the most transparent.

The Numbers

Sorted by vendor, the CVEs issued in the first six months of 2026 looked like this:

CountVendor
2,308Linux
1,752Google
1,308n/a
843Microsoft
495OpenClaw
445Oracle
395Adobe
340Red Hat
310Apache
284Apple

Broken down by product — which sidesteps the issue of one vendor spanning many codebases — Linux still led with 2,309, ahead of Chrome (1,584), OpenClaw (497), Windows 10 Version 1607 (284), Firefox (255), and Android (153).

Greg wryly noted he’d have to rewrite the part of his conference talk where he says “we’re #2,” since that’s “not the case by far anymore.”

Why the Count Is Misleading

The crucial context is how different organizations decide what becomes a CVE. Commercial vendors like Apple and Microsoft typically only report issues they judge to be “high” severity. The Linux kernel project does the opposite: because it can’t control how its code is deployed, it assigns a CVE to essentially every security-relevant fix — reasoning that severity is nearly impossible to judge correctly when you don’t know the downstream use case.

In other words, Linux’s chart-topping number reflects a policy of full disclosure, not an epidemic of bugs. Comparing it directly against vendors who publish only their worst findings is fundamentally apples-to-oranges.

“CVEmaxxing” and the OpenClaw Surprise

The thread also produced a bit of instant jargon. A commenter described the newcomer OpenClaw — which racked up ~495 CVEs despite a codebase of only ~382,000 lines — as engaging in “CVEmaxxing,” a term Greg immediately said he’d “steal for my next talk.” He repeatedly praised OpenClaw for documenting all of its issues rather than cherry-picking, calling it a model other vendors should follow.

The WordPress Footnote

WordPress’s apparent absence from the list sparked a side discussion. Greg first assumed WordPress had simply stopped reporting, then corrected himself: WordPress properly attributes plugin vulnerabilities to the plugin’s vendor rather than lumping them under its own name. Most of those plugin CVEs are actually issued by Wordfence, a WordPress-security firm unaffiliated with WordPress core.

The Takeaway

Greg’s central message is one security professionals should internalize: a high CVE count can be a sign of health, not weakness. Projects that transparently document every fix will always look “worse” on a raw leaderboard than vendors who quietly patch and report only the headline-grabbing flaws. All the underlying data is public, and Greg encourages anyone to run their own queries against the CVE Project’s JSON dataset.

Related Reading

Avatar photo
David Cao

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

Articles: 683

Leave a Reply

Your email address will not be published. Required fields are marked *