Ubuntu — Security Activity Report

Canonical Ubuntu (USN advisories)

Generated Jul 12, 2026Cohort: 9 vendors with ≥10 CVE advisoriesMethodology ↗

CVE Disclosure Volume

Total all-time: 25,932 CVEs with Ubuntu advisories. Source: NVD CVE records joined with vendor advisory publish dates.

1,57320221,34720233,85220243,33020251,2912026

Severity Composition

-8.6 pp

34.6% of Ubuntu's 25,932 CVEs are CRITICAL or HIGH severity. Industry median: 43.2%. Source: NVD CVSS v3.1.

CRITICAL 1,753 (6.8%)HIGH 7,218 (27.8%)MEDIUM 9,730 (37.5%)LOW 569 (2.2%)NONE 6,471 (25.0%)

CISA KEV Listings

-0.5 pp

43 of 9,093 Ubuntu CVEs in the last 3 years are on CISA's Known Exploited Vulnerabilities catalog (0.5%). Industry median: 1.0%.

Source: CISA Known Exploited Vulnerabilities catalog (current snapshot). KEV listing means CISA observed active in-the-wild exploitation.

Vendor Patch Velocity

Insufficient data to publish a reliable patch-velocity metric for Ubuntu(sample size: 0, minimum required: 10).

Top Recurring Weakness Classes

Most-frequently mapped CWEs across Ubuntu's last 3 years of CVE disclosures. Source: NVD — CWE mapping per MITRE taxonomy.

  • CWE-476NULL Pointer Dereference1,132 CVEs
  • CWE-416Use After Free843 CVEs
  • CWE-787Out-of-bounds Write477 CVEs
  • CWE-125Out-of-bounds Read468 CVEs
  • CWE-401Missing Release of Memory after Effective Lifetime (Memory Leak)369 CVEs

Recent Security Advisories

Latest advisories published by Ubuntu, straight from the vendor's own feed. Severity labels are the vendor's — scales differ across vendors.

Full advisory archive: /pulse/vendor-advisories →

Data sources & corrections

  • NVD National Vulnerability Database (nvd.nist.gov) — CVE records + CVSS v3.1 severity
  • MITRE cvelistV5 (github.com/CVEProject/cvelistV5) — CNA-published CVE timestamps
  • CISA Known Exploited Vulnerabilities catalog (cisa.gov/known-exploited-vulnerabilities-catalog)
  • Vendor security advisories (RHSA, USN, MSRC, GHSA, etc.) — published_at timestamps
  • MITRE CWE taxonomy (cwe.mitre.org) — weakness class mappings

Snapshot generated Jul 12, 2026. Industry medians refresh every 6 hours; raw vendor counts are queried live on each request.

Spot a factual error in this report?

Email [email protected] with the specific number you're disputing and a link to the authoritative source. We review every report and publish corrections on the methodology page.