Red Hat — Security Activity Report

Enterprise Linux + middleware (RHSA advisories)

Generated Jul 12, 2026Cohort: 9 vendors with ≥10 CVE advisoriesMethodology ↗

CVE Disclosure Volume

Total all-time: 25,229 CVEs with Red Hat advisories. Source: NVD CVE records joined with vendor advisory publish dates.

1,35020221,21820232,38520242,77720251,5602026

Severity Composition

-8.8 pp

34.4% of Red Hat's 25,229 CVEs are CRITICAL or HIGH severity. Industry median: 43.2%. Source: NVD CVSS v3.1.

CRITICAL 1,687 (6.7%)HIGH 7,000 (27.7%)MEDIUM 7,925 (31.4%)LOW 524 (2.1%)NONE 7,989 (31.7%)

CISA KEV Listings

-0.5 pp

38 of 7,313 Red Hat CVEs in the last 3 years are on CISA's Known Exploited Vulnerabilities catalog (0.5%). Industry median: 1.0%.

Source: CISA Known Exploited Vulnerabilities catalog (current snapshot). KEV listing means CISA observed active in-the-wild exploitation.

Vendor Patch Velocity

+6.3 days

Median time from CVE disclosure to Red Hat advisory: 21 days (p25 4 days – p75 54 days). Industry median: 15 days.

Sample size: 352 CVE→advisory pairs over the last 3 years. Source: vendor advisory published_at minus CVE published.

Top Recurring Weakness Classes

Most-frequently mapped CWEs across Red Hat's last 3 years of CVE disclosures. Source: NVD — CWE mapping per MITRE taxonomy.

  • CWE-416Use After Free679 CVEs
  • CWE-476NULL Pointer Dereference532 CVEs
  • CWE-787Out-of-bounds Write374 CVEs
  • CWE-125Out-of-bounds Read344 CVEs
  • CWE-401Missing Release of Memory after Effective Lifetime (Memory Leak)285 CVEs

Recent Security Advisories

Latest advisories published by Red Hat, straight from the vendor's own feed. Severity labels are the vendor's — scales differ across vendors.

Full advisory archive: /pulse/vendor-advisories →

Data sources & corrections

  • NVD National Vulnerability Database (nvd.nist.gov) — CVE records + CVSS v3.1 severity
  • MITRE cvelistV5 (github.com/CVEProject/cvelistV5) — CNA-published CVE timestamps
  • CISA Known Exploited Vulnerabilities catalog (cisa.gov/known-exploited-vulnerabilities-catalog)
  • Vendor security advisories (RHSA, USN, MSRC, GHSA, etc.) — published_at timestamps
  • MITRE CWE taxonomy (cwe.mitre.org) — weakness class mappings

Snapshot generated Jul 12, 2026. Industry medians refresh every 6 hours; raw vendor counts are queried live on each request.

Spot a factual error in this report?

Email [email protected] with the specific number you're disputing and a link to the authoritative source. We review every report and publish corrections on the methodology page.