Solution sectors / operating-systems
Operating Systems
Operating systems are the foundation of every device, which makes their vulnerabilities some of the most far-reaching. This hub tracks CVEs across Linux distributions, Windows, macOS, the BSDs and mobile operating systems.
Cumulative CVEs
69,158
across 297 monthly snapshots
Latest month
1,163
-56.8% MoM · +58.4% YoY
Peak month
2,693
May 26
KEV this month
2
62 vendors affected
CVEs per month
Newest period on the right. Click a point to open that monthly report.
Deployment mix
How this sector's software is typically delivered — whether you patch it yourself or a vendor does. AI-assisted vendor classification.
- On-prem93%
- Mixed4%
- Embedded3%
Latest CVEs in this sector
The 15 most recently published vulnerabilities tagged to Operating Systems.
- CVE-2026-10655Use-after-free race in SNTP async client when closing the socket while the socket service is still polling it6.5
- CVE-2026-10654RFCOMM session-disconnect race leaks session/L2CAP and denies further RFCOMM service in Zephyr Bluetooth Classic3.1
- CVE-2026-10653Non-atomic `net_buf` reference counts cause double-free / free-list corruption under concurrent unref6.4
- CVE-2026-9263Out-of-bounds read in Bluetooth Controller ISOAL framed RX reassembly leaks adjacent memory into host HCI ISO packets6.5
- CVE-2026-49451Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing7.5
- CVE-2026-10652Out-of-bounds read in Zephyr DNS resolver TXT/SRV record parsing (unvalidated `rdlength`)4.8
- CVE-2026-58016Glib: integer underflow in gio/gdbusintrospection.c via "g_dbus_node_info_new_for_xml"7.5
- CVE-2026-58015Glib: path traversal in glib/gio/gdbusauthmechanismsha1.c via keyring_lookup_entry and mechanism_client_data_receive5.9
- CVE-2026-58014Glib: off-by-one error in glib/gkeyfile.c via "g_key_file_get_locale_string_list"7.3
- CVE-2026-58013Glib: buffer over-read in glib/giochannel.c via "g_io_channel_read_line_backend"6.5
- CVE-2026-58012Glib: buffer over-read in g_regex_replace() via glib/gregex.c:string_append() and g_utf8_next_char()6.5
- CVE-2026-58010Glib: buffer over-read in glib/gvariant-serialiser.c via gvs_tuple_is_normal()6.5
- CVE-2026-58011Glib: out-of-bounds read in glib/gdatetime.c:g_date_time_get_ymd via invalid gdatetime6.5
- CVE-2026-14209Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions4.3
- CVE-2026-13316Foreman: ssrf to cloud metada service through unvalidated test_url parameters in foreman config4.4
Weakness fingerprint
Top CWE classes in this sector, latest monthly snapshot.
Top vendors
Most CVEs in this sector, latest monthly snapshot.
| Vendor | CVEs | Crit | KEV |
|---|---|---|---|
| linux | 514 | 40 | · |
| microsoft | 265 | 19 | · |
| redhat | 133 | 2 | · |
| сообщество свободного программного обеспечения | 55 | 5 | · |
| qualcomm, inc. | 22 | · | · |
| zephyrproject | 22 | · | · |
| samsung mobile | 15 | · | · |
| fedora project | 14 | · | · |
| suse | 12 | · | · |
| amazon.com inc. | 9 | · | · |
Subsectors
Breakdown for the latest monthly snapshot.
| Subsector | CVEs | Crit | KEV | Vendors | MoM | Top products |
|---|---|---|---|---|---|---|
| linux-distro | 682 | 49 | · | 35 | — | linux (517) · red hat enterprise linux 8 (81) · red hat enterprise linux 9 (81) |
| mobile-os | 181 | 4 | 2 | 7 | — | android (187) · ios and ipados (38) · ipados (38) |
| windows | 133 | 197 | · | 2 | — | windows 11 26h1 (218) · windows server 2025 (216) · windows server 2025 (server core installation) (214) |
| unix-bsd | 74 | 3 | · | 9 | — | macos (51) · freebsd (10) · x server (9) |
| — | 47 | 2 | · | 5 | — | linux kernel (32) · microsoft exchange server 2016 cumulative update 23 (7) · i (4) |
| rtos-embedded-os | 46 | 1 | · | 4 | — | zephyr (30) · emberznet (11) · optee_os (3) |
Sector classification is AI-assisted with human review. How tagging works · Report a misclassification