Statistics are grouped by month of the issue being reported to the private list.
| Month | All reports | Embargoed | Average | Median | Min | Max embargo days |
|---|---|---|---|---|---|---|
| 2026-01 | 3 | 3 | 7.42 | 6.81 | 1.28 | 14.15 |
| 2026-02 | 4 | 4 | 11.57 | 12.70 | 6.75 | 14.15 |
| Total | 7 | 7 | 9.79 | 11.74 | 1.28 | 14.15 |
Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2026 didn't occur yet) are (would be) excluded from the calculation of average, median, and minimum embargo duration above.
For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.
For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.
| Project | Subjects/titles/links | Time at distros (UTC) … oss-security (UTC) Elsewhere (UTC) | Embargo days | Planned CRD(s) (exact wording) | CVE(s) |
|---|---|---|---|---|---|
| OpenStack keystonemiddleware | [vs] Vulnerability in OpenStack keystonemiddleware (CVE pending) [oss-security] [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) | Thu Jan 08 20:01:47 2026 Thu Jan 15 15:32:58 2026 | 6.81 | Thursday, 2026-01-15, 1500UTC | |
| OpenSSL | [vs-plain] Embargoed OpenSSL security issue [oss-security] OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) | Tue Jan 13 13:44:01 2026 Tue Jan 27 17:19:21 2026 | 14.15 | 27th January 2026 | |
| BIND 9 | [vs] … [oss-security] ISC has disclosed one vulnerability in BIND 9 (CVE-2025-13878) | Tue Jan 20 09:27:28 2026 Wed Jan 21 16:14:45 2026 | 1.28 | 21 January 2026 | CVE-2025-13878 |
| MUNGE | [vs] MUNGE buffer overflow - embargo until 2026-02-10 [oss-security] CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage | Wed Feb 04 00:30:33 2026 Tue Feb 10 18:33:01 2026 | 6.75 | 2026-02-10 18:00 UTC (Tue, 10:00 PST) | CVE-2026-25506 |
| MIT/Heimdal Kerberos | [vs] Critical Kerberos Credential Theft (ADV-2026-005) [oss-security] MIT/Heimdal Kerberos credentials cache type FILE risks | Thu Feb 05 09:24:27 2026 Thu Feb 19 01:15:03 2026 | 13.66 | 2026-02-18 | ADV-2026-005 |
| OpenStack | [vs] … [oss-security] [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) | Thu Feb 05 21:18:36 2026 Tue Feb 17 15:01:45 2026 | 11.74 | 2026-02-17 1500UTC | CVE-2026-24708 |
| Linux | [vs-plain] Multiple vulnerabilities in AppArmor [oss-security] Re: Multiple vulnerabilities in AppArmor | Thu Feb 26 18:01:06 2026 Thu Mar 12 21:34:11 2026 | 14.15 | Tuesday, March 3, 17:00 UTC when the patches are published upstream in Linus's tree, in a few days and definitely before the maximum 14-day embargo will almost certainly be published upstream in Linus's tree on Tuesday, March 10 wait until the patches appear in Linus's tree, even if the maximum 14-day embargo is slightly exceeded |
These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with this Perl script to produce the tables above. You should be able to reproduce that.