Ubuntu — Security Activity Report
Canonical Ubuntu (USN advisories)
Generated Jul 12, 2026Cohort: 9 vendors with ≥10 CVE advisoriesMethodology ↗
CVE Disclosure Volume
Total all-time: 25,932 CVEs with Ubuntu advisories. Source: NVD CVE records joined with vendor advisory publish dates.
Severity Composition
↓ -8.6 pp34.6% of Ubuntu's 25,932 CVEs are CRITICAL or HIGH severity. Industry median: 43.2%. Source: NVD CVSS v3.1.
CISA KEV Listings
↓ -0.5 pp43 of 9,093 Ubuntu CVEs in the last 3 years are on CISA's Known Exploited Vulnerabilities catalog (0.5%). Industry median: 1.0%.
Source: CISA Known Exploited Vulnerabilities catalog (current snapshot). KEV listing means CISA observed active in-the-wild exploitation.
Vendor Patch Velocity
Insufficient data to publish a reliable patch-velocity metric for Ubuntu(sample size: 0, minimum required: 10).
Top Recurring Weakness Classes
Most-frequently mapped CWEs across Ubuntu's last 3 years of CVE disclosures. Source: NVD — CWE mapping per MITRE taxonomy.
Recent Security Advisories
Latest advisories published by Ubuntu, straight from the vendor's own feed. Severity labels are the vendor's — scales differ across vendors.
- USN-8530-1
- USN-8529-1
- USN-8528-1
- USN-8527-1
- USN-8525-1
- USN-8521-1
- USN-8518-1
- USN-8517-1
Full advisory archive: /pulse/vendor-advisories →
Data sources & corrections
- NVD National Vulnerability Database (nvd.nist.gov) — CVE records + CVSS v3.1 severity
- MITRE cvelistV5 (github.com/CVEProject/cvelistV5) — CNA-published CVE timestamps
- CISA Known Exploited Vulnerabilities catalog (cisa.gov/known-exploited-vulnerabilities-catalog)
- Vendor security advisories (RHSA, USN, MSRC, GHSA, etc.) — published_at timestamps
- MITRE CWE taxonomy (cwe.mitre.org) — weakness class mappings
Snapshot generated Jul 12, 2026. Industry medians refresh every 6 hours; raw vendor counts are queried live on each request.
Spot a factual error in this report?
Email [email protected] with the specific number you're disputing and a link to the authoritative source. We review every report and publish corrections on the methodology page.