From c0e29e917722918efbef6a442b511e0b624d3c2d Mon Sep 17 00:00:00 2001 From: Greg Marsden Date: Fri, 3 Oct 2025 11:51:21 -0700 Subject: [PATCH] Add high_consequence flag to template This commit introduces the high_consequence flag. This is intended for vendors doing analysis to suggest that readers focus on a particular vulnerability as it may be more exploitable or more consequential than other vulnerabilities. This does not increment the template version, as it adds a field without modifying existing fields. --- README.md | 2 ++ template.yml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/README.md b/README.md index 0422be0..57baa11 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ The audience for the linux-cve-analysis project is human reviewers who are respo While the impact of a particular vulnerability will vary based on how the kernel is being used, we have found that there is factual, objective information which describes the effect of code defects and is generic across use cases. This project seeks to compile those factual, objective descriptions while avoiding vendor-specific or subjective evaluations of those vulnerabilities. Inclusion of subjective or use-case specific analysis is generally discouraged but may be included in the Notes field. CVSS Scores are considered use-case specific and therefore discouraged for this repo. +The one field which is intended for subjective review is the field `high_consequence`. This field should be used to suggest that reviewers spend additional time to understand the potential consequences of this vulnerability in their environments, either because there's a known exploit or if the exploit appears to be easily used to gain privileges. This flag can be set even if we would expect most distributions may not have this feature enabled or the code compiled; the intent is to describe the consequence of having this vulnerability unpatched, not the expected impact for any particular usage. Specific vendor-assessed impact scores may be published by individual impacted vendors. The exact definition of high consequence is left intentionally vague; this flag is intended to allow reviewers within the cloud-lts community to flag particular vulnerabilities for additional analysis. + The following guidelines may be helpful in filling out the `template.yml` description: - Strict adherence to the yaml format is not required, but following the template is generally encouraged. - Any field may be left blank diff --git a/template.yml b/template.yml index 30e5bfa..f71e6a9 100644 --- a/template.yml +++ b/template.yml @@ -13,6 +13,9 @@ privileges_required: | [ true, false ] Privileges (root/CAP_*) required to reach vulnerable code. False if an unprivileged user can trigger the vulnerability, such as with an unprivileged module load. +high_consequence: | + [ true, false ] True if reviewers recommend this vulnerability receive + heightened scrutiny, e.g. an exploit is known. This field is subjective. notes: | Free form text, can be used to elaborate on anything of the above, or provide a more accurate description of the issue.