This repository contains LLM-generated analysis of Linux kernel CVEs (Common Vulnerabilities and Exposures). It is published by Microsoft to share CVE analysis outputs with the Linux cloud-lts community.
CVE analysis for the Linux kernel is a manual process. Members of the Linux cloud-lts community perform the analysis and upload YAML files to the cloud-lts/linux-cve-analysis repository.
Microsoft has developed an automated solution that leverages a large language model (LLM) to perform this CVE analysis and publish the resulting YAML files. The goal is to share these results with the Linux cloud-lts community so they can view, review, and provide feedback.
The vulns/ directory contains YAML files with structured analysis for each CVE, including:
- reachability: Who can reach the vulnerable code (not yet implemented)
- memory_corruption: Indicates if the vulnerability involves memory corruption
- bug_class: Classification of the vulnerability (e.g., UAF, buffer overflow, race condition)
- impact: Potential impact (e.g., DoS, privilege escalation, information disclosure)
- privileges_required: Whether privileges are required to reach the vulnerable code (not yet implemented)
- notes: Analysis summary and additional context
- author: Indicates the analysis was LLM-generated
The CVE analysis files in this repository are generated automatically using a large language model (LLM). These files are treated as read-only; if you identify an issue, please open an issue rather than submitting direct edits (see CONTRIBUTING.md).
Commits authored by CVE Vulnalyzer Bot (cve-vulnalyzer@azure.devops.com) represent automated content generation and do not correspond to direct authorship by an individual contributor.
The responses provided by this solution are generated using a large language model (LLM) and are intended for informational purposes only. The AI-generated content may contain errors, omissions, or outdated information. Users should independently verify the severity, applicability, and recommended fixes for any CVE before taking action. The content is provided "as is" without warranties of any kind.
We welcome feedback from the Linux cloud-lts community and the broader open-source community. If you find discrepancies between the LLM-generated analysis and your own findings, please open an issue.
Please see CONTRIBUTING.md for details on how to contribute, including the requirement to sign the Microsoft Contributor License Agreement (CLA).
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
For security concerns, please see SECURITY.md.
Please do not report security vulnerabilities through public GitHub issues. For security reporting information, locations, contact information, and policies, please review the latest guidance for Microsoft repositories at https://aka.ms/SECURITY.md.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
This project is licensed under the MIT License - see the LICENSE file for details.