Statistics are grouped by month of the issue being reported to the private list.
| Month | All reports | Embargoed | Average | Median | Min | Max embargo days |
|---|---|---|---|---|---|---|
| 2026-01 | 3 | 3 | 7.42 | 6.81 | 1.28 | 14.15 |
| 2026-02 | 4 | 4 | 11.57 | 12.70 | 6.75 | 14.15 |
| 2026-03 | 15 | 15 | 10.40 | 5.35 | 1.11 | 49.69 |
| 2026-04 | 16 | 16 | 9.84 | 6.06 | 3.60 | 31.98 |
| Total | 38 | 38 | 10.05 | 6.78 | 1.11 | 49.69 |
Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2026 didn't occur yet) are (would be) excluded from the calculation of average, median, and minimum embargo duration above.
For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.
For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.
| Project | Subjects/titles/links | Time at distros (UTC) … oss-security (UTC) Elsewhere (UTC) | Embargo days | Planned CRD(s) (exact wording) | CVE(s) |
|---|---|---|---|---|---|
| OpenStack keystonemiddleware | [vs] Vulnerability in OpenStack keystonemiddleware (CVE pending) [oss-security] [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) | Thu Jan 08 20:01:47 2026 Thu Jan 15 15:32:58 2026 | 6.81 | Thursday, 2026-01-15, 1500UTC | |
| OpenSSL | [vs-plain] Embargoed OpenSSL security issue [oss-security] OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) | Tue Jan 13 13:44:01 2026 Tue Jan 27 17:19:21 2026 | 14.15 | 27th January 2026 | |
| BIND 9 | [vs] … [oss-security] ISC has disclosed one vulnerability in BIND 9 (CVE-2025-13878) | Tue Jan 20 09:27:28 2026 Wed Jan 21 16:14:45 2026 | 1.28 | 21 January 2026 | CVE-2025-13878 |
| MUNGE | [vs] MUNGE buffer overflow - embargo until 2026-02-10 [oss-security] CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage | Wed Feb 04 00:30:33 2026 Tue Feb 10 18:33:01 2026 | 6.75 | 2026-02-10 18:00 UTC (Tue, 10:00 PST) | CVE-2026-25506 |
| MIT/Heimdal Kerberos | [vs] Critical Kerberos Credential Theft (ADV-2026-005) [oss-security] MIT/Heimdal Kerberos credentials cache type FILE risks | Thu Feb 05 09:24:27 2026 Thu Feb 19 01:15:03 2026 | 13.66 | 2026-02-18 | ADV-2026-005 |
| OpenStack | [vs] … [oss-security] [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) | Thu Feb 05 21:18:36 2026 Tue Feb 17 15:01:45 2026 | 11.74 | 2026-02-17 1500UTC | CVE-2026-24708 |
| Linux | [vs-plain] Multiple vulnerabilities in AppArmor [oss-security] Re: Multiple vulnerabilities in AppArmor | Thu Feb 26 18:01:06 2026 Thu Mar 12 21:34:11 2026 | 14.15 | Tuesday, March 3, 17:00 UTC when the patches are published upstream in Linus's tree, in a few days and definitely before the maximum 14-day embargo will almost certainly be published upstream in Linus's tree on Tuesday, March 10 wait until the patches appear in Linus's tree, even if the maximum 14-day embargo is slightly exceeded | |
| OpenSSH GSSAPI patch | [vs-plain] OpenSSH GSSAPI patch issue [oss-security] OpenSSH GSSAPI keyex patch issue | Thu Mar 05 14:03:20 2026 Thu Mar 12 18:03:39 2026 | 7.17 | 2026-03-12 18:00:00 UTC | CVE-2026-3497 |
| OpenStack Glance | [vs] Vulnerability in OpenStack Glance (CVE-pending) [oss-security] [OSSA-2026-004] Glance: Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality (CVE-2026-pending) | Thu Mar 05 20:09:33 2026 Thu Mar 19 15:21:06 2026 | 13.80 | 2026-03-19, 1500UTC | OSSA-2026-004 |
| curl | [vs-plain] : pre-notification curl CVE-2026-1965 (1/3) [oss-security] [ADVISORY] curl: CVE-2026-1965: bad reuse of HTTP Negotiate connection https://github.com/curl/curl/pull/20534 | Sun Mar 08 09:32:08 2026 Wed Mar 11 06:54:50 2026 | 2.89 | March 11, this coming Wednesday | CVE-2026-1965 |
| curl | [vs-plain] : pre-notification curl CVE-2026-3783 (2/3) [oss-security] [ADVISORY] curl: CVE-2026-3783: token leak with redirect and netrc https://github.com/curl/curl/pull/20843 | Sun Mar 08 09:32:12 2026 Wed Mar 11 06:54:55 2026 | 2.89 | March 11, this coming Wednesday | CVE-2026-3783 |
| curl | [vs-plain] : pre-notification curl CVE-2026-3784 (3/3) [oss-security] [ADVISORY] curl: CVE-2026-3784: wrong proxy connection reuse with credentials https://github.com/curl/curl/pull/20837 | Sun Mar 08 09:32:22 2026 Wed Mar 11 06:55:00 2026 | 2.89 | March 11, this coming Wednesday | CVE-2026-3784 |
| curl | [vs-plain] : pre-notification curl CVE-2026-3805 (4/3) [oss-security] [ADVISORY] curl: CVE-2026-3805: use after free in SMB connection reuse https://github.com/curl/curl/pull/20854 | Sun Mar 08 21:56:29 2026 Wed Mar 11 06:55:03 2026 | 2.37 | March 11th 2026 | CVE-2026-3805 |
| Linux | [vs] … [oss-security] KVM shadow EPT stale rmap use-after-free | Tue Mar 10 10:33:59 2026 Mon Mar 30 14:41:08 2026 | 20.17 | Sunday March 29, 2026, 16:00 UTC | |
| snapd | [vs] LPE in snapd [oss-security] snap-confine + systemd-tmpfiles = root (CVE-2026-3888) | Thu Mar 12 11:08:29 2026 Tue Mar 17 19:33:32 2026 | 5.35 | 2026-03-17 14:00:00 UTC | CVE-2026-3888 |
| Linux | [vs-plain] Vulnerability Report: KTLS + sockmap “Reverse Order” Use-After-Free / Data Corruption [oss-security] Linux kernel: KTLS + sockmap "Reverse Order" Use-After-Free / Data Corruption | Wed Mar 18 11:54:54 2026 Thu May 07 04:30:00 2026 | 49.69 | March 31st | |
| Dovecot | [vs] Dovecot Security Advisory 2026-01 [oss-security] Dovecot Security Advisory OXDC-2026-0001 | Mon Mar 23 14:57:55 2026 Fri Mar 27 14:48:06 2026 | 3.99 | 27th of March | CVE-2025-30189 CVE-2025-59028 CVE-2025-59032 CVE-2025-59031 CVE-2026-0394 CVE-2026-27860 CVE-2026-24031 CVE-2026-27859 CVE-2026-27857 CVE-2026-27858 CVE-2026-27856 CVE-2026-27855 |
| Kea | [vs] … [oss-security] ISC has disclosed one vulnerability in Kea (CVE-2026-3608) | Tue Mar 24 09:16:10 2026 Wed Mar 25 15:16:52 2026 | 1.25 | 25 March 2026 | CVE-2026-3608 |
| BIND 9 | [vs] … [oss-security] ISC has disclosed four vulnerabilities in BIND 9 (CVE-2026-1519, CVE-2026-3104, CVE-2026-3119, CVE-2026-3591) | Tue Mar 24 12:36:27 2026 Wed Mar 25 15:16:57 2026 | 1.11 | 25 March 2026 | CVE-2026-1519 CVE-2026-3104 CVE-2026-3119 CVE-2026-3591 |
| OpenSSL | [vs-plain] Embargoed OpenSSL security issue [oss-security] OpenSSL Security Advisory | Tue Mar 24 15:39:27 2026 Tue Apr 07 16:37:00 2026 | 14.04 | 7th April 2026 | CVE-2026-31790 CVE-2026-28386 CVE-2026-28387 CVE-2026-28388 CVE-2026-28389 CVE-2026-28390 CVE-2026-31789 |
| OpenStack Keystone | [vs-plain] Vulnerability in OpenStack Keystone (CVE-2026-33551) [oss-security] [OSSA-2026-005] Keystone: Restricted application credentials can create EC2 credentials (CVE-2026-33551) | Tue Mar 24 19:28:14 2026 Tue Apr 07 17:43:25 2026 | 13.93 | 2026-04-07, 1500UTC | CVE-2026-33551 |
| LiteLLM | [vs] … [oss-security] X41 Advisory X41-2026-001: Guardrail Sandbox Escape in LiteLLM | Wed Mar 25 14:19:55 2026 Thu Apr 09 00:09:16 2026 | 14.41 | as fast as possible | x41-2026-001 |
| OVN | [vs-plain] CVE-2026-5367: Heap Over-Read in ICMP Error Response Generation [oss-security] [ADVISORY] CVE-2026-5265: Heap Over-Read in ICMP Error Response Generation | Tue Apr 07 08:04:14 2026 Mon Apr 20 15:51:53 2026 | 13.32 | 13-Apr-2026 20-Apr-2026 | CVE-2026-5265 |
| OVN | [vs-plain] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing [oss-security] [ADVISORY] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing | Tue Apr 07 08:04:18 2026 Mon Apr 20 15:52:03 2026 | 13.32 | 13-Apr-2026 20-Apr-2026 | CVE-2026-5367 |
| X.Org X server and Xwayland | [vs-plain] Embargoed X.Org Security Advisory: Multiple security issues in X.Org X server and Xwayland for 2026-04-14 [oss-security] Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland | Tue Apr 07 08:20:45 2026 Tue Apr 14 15:38:28 2026 | 7.30 | 2026-04-14 at 13:00 UTC | CVE-2026-33999 CVE-2026-34000 CVE-2026-34001 CVE-2026-34002 CVE-2026-34003 |
| GNU sed | [vs-plain] GNU sed: CVE-2026-5958: TOCTOU race in sed -i –follow-symlinks [oss-security] CVE-2026-5958: GNU sed: TOCTOU race in sed -i --follow-symlinks https://savannah.gnu.org/news/?id=10885 | Sat Apr 11 01:40:42 2026 Wed May 13 01:14:29 2026 Wed Apr 22 02:00:45 2026 | 31.98 11.01 | 2026-04-19 the 20th | CVE-2026-5958 |
| libXpm | [vs-plain] Embargoed X.Org Security Advisory: Security issue in libXpm for 2026-04-21 [oss-security] Fwd: X.Org Security Advisory: CVE-2026-4367: libXpm Out-of-bounds read in xpmNextWord() | Tue Apr 14 17:09:39 2026 Tue Apr 21 16:30:10 2026 | 6.97 | 2026-04-21 at 13:00 UTC | CVE-2026-4367 |
| ntfs-3g | [vs] … [oss-security] CVE-2026-40706: ntfs-3g 2022.10.3: Heap buffer overflow | Thu Apr 16 10:27:32 2026 Tue Apr 21 16:30:37 2026 | 5.25 | April 21st (2026-04-21) 12:00 UTC | CVE-2026-40706 GHSA-4cwv-5285-63v9 |
| Kata Containers | [vs-plain] Vulnerability in Kata Containers (CVE Requested) [oss-security] CVE-2026-41326: Kata Containers: CopyFile Policy Subversion via Symlinks https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc | Thu Apr 16 13:42:39 2026 Wed May 13 01:31:41 2026 Wed Apr 22 19:55:00 2026 | 26.49 6.26 | 2026-04-22, 1800 UTC | CVE-2026-41326 |
| PackageKit | [vs] … [oss-security] CVE-2026-41651: TOCTOU vulnerability in PackageKit <= 1.3.4 leads to local root exploit | Sun Apr 19 01:11:19 2026 Wed Apr 22 15:38:54 2026 | 3.60 | next Wednesday (22.04.2026) 22.04.2026, after 12:00 CEST (12:00 PM, 12:00 24h format) | CVE-2026-41651 |
| curl | [vs-plain] : pre-notification curl CVE-2026-4873 (1/6) [oss-security] [ADVISORY] curl: CVE-2026-4873: connection reuse ignores TLS requirement https://github.com/curl/curl/commit/507e7be573b0a76fca597b75 | Thu Apr 23 06:08:11 2026 Wed Apr 29 06:01:05 2026 | 6.00 | April 29 | CVE-2026-4873 |
| curl | [vs-plain] : pre-notification curl CVE-2026-5545 (2/6) [oss-security] [ADVISORY] curl: CVE-2026-5545: wrong reuse of HTTP Negotiate connection https://github.com/curl/curl/commit/33e43985b8f3b9e6669 | Thu Apr 23 06:08:16 2026 Wed Apr 29 06:01:12 2026 | 6.00 | April 29 | CVE-2026-5545 |
| curl | [vs-plain] : pre-notification curl CVE-2026-5773 (3/6) [oss-security] [ADVISORY] curl: CVE-2026-5773: wrong reuse of SMB connection https://github.com/curl/curl/commit/74a169575d6412d | Thu Apr 23 06:08:24 2026 Wed Apr 29 06:01:18 2026 | 6.00 | April 29 | CVE-2026-5773 |
| curl | [vs-plain] : pre-notification curl CVE-2026-6253 (4/6) [oss-security] [ADVISORY] curl: CVE-2026-6253: proxy credentials leak over redirect-to proxy https://github.com/curl/curl/commit/188c2f166a20fa97c2325 | Thu Apr 23 06:08:31 2026 Wed Apr 29 06:01:23 2026 | 6.00 | April 29 | CVE-2026-6253 |
| curl | [vs-plain] : pre-notification curl CVE-2026-6276 (5/6) [oss-security] [ADVISORY] curl: CVE-2026-6276: stale custom cookie host causes cookie leak https://github.com/curl/curl/commit/3a19987a87f393d9394fe5ac | Thu Apr 23 06:08:39 2026 Wed Apr 29 06:01:27 2026 | 6.00 | April 29 | CVE-2026-6276 |
| curl | [vs-plain] : pre-notification curl CVE-2026-6429 (6/6) [oss-security] [ADVISORY] curl: CVE-2026-6429: netrc credential leak with reused proxy connection https://github.com/curl/curl/commit/b4024bf808bd558026fdc6 | Thu Apr 23 06:08:46 2026 Wed Apr 29 06:01:19 2026 | 5.99 | April 29 | CVE-2026-6429 |
| Exim | [vs-plain] EXIM-Security-2026-04-24 [oss-security] Exim 4.99.2 fixes 4 CVEs | Fri Apr 24 15:09:46 2026 Thu Apr 30 18:21:42 2026 | 6.13 | next Wednesday, 2026-04-29T12:00:00+0000 | CVE-2026-40684 CVE-2026-40685 CVE-2026-40686 CVE-2026-40687 |
| OpenStack Cyborg | [vs] … [oss-security] [OSSA-2026-011] OpenStack Cyborg: Multiple access control vulnerabilities in Cyborg accelerator management (CVE-2026-40213, CVE-2026-40214) | Thu Apr 30 15:02:08 2026 Thu May 07 18:27:34 2026 | 7.14 | 2026-05-07, 1500UTC | CVE-2026-40213 CVE-2026-40214 |
These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with this Perl script to produce the tables above. You should be able to reproduce that.