Microsoft has started showing full screen warnings about the upcoming end of support date on Windows 10 PCs. From a report: Users on Reddit have reported seeing the prompt, which began appearing after this week's Patch Tuesday updates were installed, and encourages the user to learn more about how they can transition to Windows 11. Windows 10's end of support date is currently set for October 14, 2025. After that date, Windows 10 users will no longer receive critical security and bug fix updates, leaving any Windows 10 PC connected to the internet vulnerable to any newly discovered security exploits. The full screen prompt that is now appearing on some Windows 10 PCs thanks the user for their loyalty using Windows 10, and warns that this end of life (EOL) date is approaching. It also wastes no time advertising Windows 11, encouraging the user to learn more about how they can transition to a new Windows 11 PC. Notably, there's no button to tell the prompt to never show again.

An anonymous reader shares a report: Google offers a VPN via its "Google One" monthly subscription plan, and while it debuted on phones, a desktop app has been available for Windows and Mac OS for over a year now. Since a lot of people pay for Google One for the cloud storage increase for their Google accounts, you might be tempted to try the VPN on a desktop, but Windows users testing out the app haven't seemed too happy lately. An open bug report on Google's GitHub for the project says the Windows app "breaks" the Windows DNS, and this has been ongoing since at least November.

A VPN would naturally route all your traffic through a secure tunnel, but you've still got to do DNS lookups somewhere. A lot of VPN services also come with a DNS service, and Google is no different. The problem is that Google's VPN app changes the Windows DNS settings of all network adapters to always use Google's DNS, whether the VPN is on or off. Even if you change them, Google's program will change them back. Most VPN apps don't work this way, and even Google's Mac VPN program doesn't work this way. The users in the thread (and the ones emailing us) expect the app, at minimum, to use the original Windows settings when the VPN is off. Since running a VPN is often about privacy and security, users want to be able to change the DNS away from Google even when the VPN is running.

quonset shares a report: In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying "a cascade of errors" by the tech giant let state-backed Chinese cyber operators break into email accounts of senior U.S. officials including Commerce Secretary Gina Raimondo.

The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company's knowledge of the targeted breach, which affected multiple U.S. agencies that deal with China. It concluded that "Microsoft's security culture was inadequate and requires an overhaul" given the company's ubiquity and critical role in the global technology ecosystem. Microsoft products "underpin essential services that support national security, the foundations of our economy, and public health and safety."

The panel said the intrusion, discovered in June by the State Department and dating to May "was preventable and should never have occurred," blaming its success on "a cascade of avoidable errors." What's more, the board said, Microsoft still doesn't know how the hackers got in. [...] It said Microsoft's CEO and board should institute "rapid cultural change" including publicly sharing "a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products."

"After being in development since 2019, the huge NetBSD 10.0 is out today as a wonderful Easter surprise," reports Phoronix: NetBSD 10 provides WireGuard support, support for many newer Arm platforms including for Apple Silicon and newer Raspberry Pi boards, a new Intel Ethernet drive, support for Realtek 2.5GbE network adapters, SMP performance improvements, automatic swap encryption, and an enormous amount of other hardware support improvements that accumulated over the past 4+ years.

Plus there is no shortage of bug fixes and performance optimizations with NetBSD 10. Some tests of NetBSD 10.0 in development back during 2020 showed at that point it was already 12% faster than NetBSD 9.
"A lot of development went into this new release," NetBSD wrote on their blog, saying "This also caused the release announcement to be one of the longest we ever did."

Among the new userspace programs is warp(6), which they describe as a "classic BSD space war game (copyright donated to the NetBSD Foundation by Larry Wall)."

The Record reports: Ross Anderson, a professor of security engineering at the University of Cambridge who is widely recognized for his contributions to computing, passed away at home on Thursday according to friends and colleagues who have been in touch with his family and the University.

Anderson, who also taught at Edinburgh University, was one of the most respected academic engineers and computer scientists of his generation. His research included machine learning, cryptographic protocols, hardware reverse engineering and breaking ciphers, among other topics. His public achievements include, but are by no means limited to, being awarded the British Computer Society's Lovelace Medal in 2015, and publishing several editions of the Security Engineering textbook.
Anderson's security research made headlines throughout his career, with his name appearing in over a dozen Slashdot stories...

• 2023: Researchers Warn of 'Model Collapse' As AI Trains On AI-Generated Content

• 2021: 'Trojan Source' Bug Threatens the Security of All Code

• 2015: Factory Reset On Millions of Android Devices Doesn't Wipe Storage

• 2012: UK Web Snooping Plan Invades Privacy, Despite Claims To the Contrary

• 2010: Why "Verified By Visa" System Is Insecure

• 2008: Researchers Expose New Credit Card Fraud Risk

• 2006: "Security Engineering" Is Now Online. [The link from that 2006 post still works. Slashdot called Anderson's book "arguably the best information security book ever written" in one of two reviews, published in 2002 and 2010.]

• 2002:Security of Open vs. Closed Source Software.

• 2002: Analyzing Palladium

My favorite story? UK Banks Attempt To Censor Academic Publication.

"Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online..."

An anonymous reader quotes a report from KrebsOnSecurity: Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple's password reset feature. In this scenario, a target's Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Don't Allow" to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user's account is under attack and that Apple support needs to "verify" a one-time code. [...]

What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven't even been acted on by the user? Could this be the result of a bug in Apple's systems? Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he's convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed "AirDoS" because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop -- a file-sharing capability built into Apple products.

Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple's fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple's rate limit on how many of these password reset requests can be sent in a given timeframe. "I think this could be a legit Apple rate limit bug that should be reported," Bagaria said.

BrianFagioli shares a report from BetaNews: Canonical, the company behind the popular Ubuntu operating system, has announced a significant extension to the support lifecycle of its long-term support (LTS) releases. The new paid Legacy Support add-on for Ubuntu Pro subscribers will now provide security maintenance and support for an impressive 12 years, extending the previous 10-year commitment. This enhancement is available starting with Ubuntu 14.04 LTS and will benefit both enterprises and individual users who rely on the stability and security of Ubuntu for their critical systems. By default, Ubuntu LTS releases receive five years of standard security maintenance. However, with Ubuntu Pro, this is expanded to 10 years for both the main and universe repositories, offering access to a broader range of secure open-source software.

The Legacy Support add-on further extends this period by an additional two years, ensuring that organizations can maintain their systems with the latest security patches and support services without the immediate need to upgrade to a newer OS version. This is particularly beneficial for large, established production systems where transitioning to a new OS can be a complex and risky endeavor due to the potential need to update the entire software stack. The extended support includes continuous vulnerability management for critical, high, and medium Common Vulnerabilities and Exposures (CVEs) across all software packages shipped with Ubuntu. Canonical's security team actively backports crucial fixes to all supported Ubuntu LTS releases, providing peace of mind to users and enterprises. In addition to security maintenance, the Legacy Support add-on also offers phone and ticket support, enhancing Canonical's commitment to assisting customers with troubleshooting, break fixes, bug fixes, and guidance.

An anonymous reader shared this report from The Register: Chinese spies exploited a couple of critical-severity bugs in F5 and ConnectWise equipment earlier this year to sell access to compromised U.S. defense organizations, UK government agencies, and hundreds of other entities, according to Mandiant.

The Google-owned threat hunters said they assess, "with moderate confidence," that a crew they track as UNC5174 was behind the exploitation of CVE-2023-46747, a 9.8-out-of-10-CVSS-rated remote code execution bug in the F5 BIG-IP Traffic Management User Interface, and CVE-2024-1709, a path traversal flaw in ConnectWise ScreenConnect that scored a perfect 10 out of 10 CVSS severity rating.

UNC5174 uses the online persona Uteus, and has bragged about its links to China's Ministry of State Security (MSS) — boasts that may well be true. The gang focuses on gaining initial access into victim organizations and then reselling access to valuable targets... Just last month, Mandiant noticed the same combination of tools, believed to be unique to this particular Chinese gang, being used to exploit the ConnectWise flaw and compromise "hundreds" or entities, mostly in the U.S. and Canada. Also between October 2023 and February 2024, UNC5174 exploited CVE-2023-22518 in Atlassian Confluence, CVE-2022-0185 in Linux kernels, and CVE-2022-3052, a Zyxel Firewall OS command injection vulnerability, according to Mandiant.

These campaigns included "extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions," the threat intel team noted.
More details from The Record. "One of the strangest things the researchers found was that UNC5174 would create backdoors into compromised systems and then patch the vulnerability they used to break in. Mandiant said it believes this was an 'attempt to limit subsequent exploitation of the system by additional unrelated threat actors attempting to access the appliance.'"

BleepingComputer reports on "a new denial-of-service attack dubbed 'Loop DoS' targeting application layer protocols."

According to their article, the attack "can pair network services into an indefinite communication loop that creates large volumes of traffic." Devised by researchers at the CISPA Helmholtz-Center for Information Security, the attack uses the User Datagram Protocol (UDP) and impacts an estimated 300,000 host and their networks. The attack is possible due to a vulnerability, currently tracked as CVE-2024-2169, in the implementation of the UDP protocol, which is susceptible to IP spoofing and does not provide sufficient packet verification. An attacker exploiting the vulnerability creates a self-perpetuating mechanism that generates excessive traffic without limits and without a way to stop it, leading to a denial-of-service (DoS) condition on the target system or even an entire network. Loop DoS relies on IP spoofing and can be triggered from a single host that sends one message to start the communication.

According to the Carnegie Mellon CERT Coordination Center (CERT/CC) there are three potential outcomes when an attacker leverages the vulnerability:

— Overloading of a vulnerable service and causing it to become unstable or unusable.
— DoS attack on the network backbone, causing network outages to other services.
— Amplification attacks that involve network loops causing amplified DOS or DDOS attacks.

CISPA researchers Yepeng Pan and Professor Dr. Christian Rossow say the potential impact is notable, spanning both outdated (QOTD, Chargen, Echo) and modern protocols (DNS, NTP, TFTP) that are crucial for basic internet-based functions like time synchronization, domain name resolution, and file transfer without authentication... The researchers warned that the attack is easy to exploit, noting that there is no evidence indicating active exploitation at this time. Rossow and Pan shared their findings with affected vendors and notified CERT/CC for coordinated disclosure. So far, vendors who confirmed their implementations are affected by CVE-2024-2169 are Broadcom, Cisco, Honeywell, Microsoft, and MikroTik.

To avoid the risk of denial of service via Loop DoS, CERT/CC recommends installing the latest patches from vendors that address the vulnerability and replace products that no longer receive security updates. Using firewall rules and access-control lists for UDP applications, turning off unnecessary UDP services, and implementing TCP or request validation are also measures that can mitigate the risk of an attack. Furthermore, the organization recommends deploying anti-spoofing solutions like BCP38 and Unicast Reverse Path Forwarding (uRPF), and using Quality-of-Service (QoS) measures to limit network traffic and protect against abuse from network loops and DoS amplifications.

"Microsoft confirmed that a memory leak introduced with the March 2024 Windows Server security updates is behind a widespread issue causing Windows domain controllers to crash," BleepingComputer reported Thursday.

Friday Microsoft wrote that the issue "was resolved in the out-of-band update KB5037422," only available via the Microsoft Update Catalog. (The update "is not available from Windows Update and will not install automatically.")

BleepingComputer reported the leak only affected "enterprise systems using the impacted Windows Server platform," and home users were not affected. But Microsoft confirmed it impacted all domain controller servers with the latest Windows Server 2012 R2, 2016, 2019, and 2022 updates: As BleepingComputer first reported on Wednesday and as many admins have warned over the last week, affected servers are freezing and restarting unexpectedly due to a Local Security Authority Subsystem Service (LSASS) process memory leak introduced with this month's cumulative updates.

"Since installation of the March updates (Exchange as well as regular Windows Server updates) most of our DCs show constantly increasing lsass memory usage (until they die)," one admin said.

"Our symptoms were ballooning memory usage on the lsass.exe process after installing KB5035855 (Server 2016) and KB5035857 (Server 2022) to the point that all physical and virtual memory was consumed and the machine hung," another Windows admin told BleepingComputer.
The leak "is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests," Microsoft wrote. "Extreme memory leaks may cause LSASS to crash, which triggers an unscheduled reboot of underlying domain controllers..."

"We strongly recommend you do not apply the March 2024 security update on DCs and install KB5037422 instead..."

The macOS Sonoma 14.4 update introduces a bug affecting iCloud Drive's versioning system, where users with "Optimize Mac Storage" enabled can lose all previous versions of a file removed from local storage. MacRumors reports: Versions are normally created automatically when users save files using apps that work with the version system in macOS. According to The Eclectic Light Company's Howard Oakley, users running macOS 14.4 that have "Optimize Mac Storage" enabled should be aware that they are at risk of losing all previously saved versions of a file if they opt to remove it from iCloud Drive local storage: "In previous versions of macOS, when a file is evicted from local storage in iCloud Drive [using the Remove Download option in the right-click contextual menu], all its saved versions have been preserved. Download that file again from iCloud Drive, and versions saved on that Mac (but not other Macs or devices) have remained fully accessible. Do that in 14.4, and all previous versions are now removed, and lost forever."

Oakley said his own tests confirmed that this behavior does not happen in macOS Sonoma 14.3 or macOS Ventura, so it is exclusive to macOS 14.4. For users who have already updated, he suggests either not saving files to iCloud Drive at all, or turning off Optimize Mac Storage. To perform the latter in System Settings, click your Apple ID, select iCloud, and then toggle off the switch next to "Optimize Mac Storage." You may need to perform this action twice -- reports suggest it can turn back on by itself. For a more exhaustive account of the problem, see Oakley's subsequent post.

Bill Toulas reports via BleepingComputer: Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and responsibly reporting security flaws in the company's products and services. Though this is lower than the $12 million Google's Vulnerability Reward Program paid to researchers in 2022, the amount is still significant, showcasing a high level of community participation in Google's security efforts.

The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program's launch in 2010 has reached $59 million. For Android, the world's most popular and widely used mobile operating system, the program awarded over $3.4 million. Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports. During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables. Google's other big software project, the Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million.

An anonymous reader quotes a report from MacRumors: Apple today released visionOS 1.1, marking the first major update to the visionOS operating system that was launched alongside the Vision Pro in February. visionOS updates can be installed by going to the Settings app on the Vision Pro, selecting the General section, and choosing Software Update. The Vision Pro headset will need to be removed to install new software, with a progress bar available on the front EyeSight display.

Apple is making several improvements to the Vision Pro with the visionOS update. Mobile Device Management is available for businesses, and Persona and EyeSight look better than before. The virtual keyboard has been updated to address bugs and make cursor positioning more accurate, and there are also bug fixes for the Mac Virtual Display. Here's a summary of visionOS 1.1 from the release notes: "This update introduces MDM features that enable deployment, device configuration, and management for enterprises. This release also includes Persona improvements, the ability to delete system apps from the Home View, as well as other features, bug fixes, and security updates for your Apple Vision Pro."

Michael Larabel, reporting at Phoronix: One of the limitations of AMD's open-source Linux graphics driver has been the inability to implement HDMI 2.1+ functionality on the basis of legal requirements by the HDMI Forum. AMD engineers had been working to come up with a solution in conjunction with the HDMI Forum for being able to provide HDMI 2.1+ capabilities with their open-source Linux kernel driver, but it looks like those efforts for now have concluded and failed. For three years there has been a bug report around 4K@120Hz being unavailable via HDMI 2.1 on the AMD Linux driver. Similarly, there have been bug reports like 5K @ 240Hz not possible either with the AMD graphics driver on Linux.

As covered back in 2021, the HDMI Forum closing public specification access is hurting open-source support. AMD as well as the X.Org Foundation have been engaged with the HDMI Forum to try to come up with a solution to be able to provide open-source implementations of the now-private HDMI specs. AMD Linux engineers have spent months working with their legal team and evaluating all HDMI features to determine if/how they can be exposed in their open-source driver. AMD had code working internally and then the past few months were waiting on approval from the HDMI Forum. Sadly, the HDMI Forum has turned down AMD's request for open-source driver support.

The Intercept, Raw Story, and AlterNet have filed separate lawsuits against OpenAI and Microsoft, alleging copyright infringement and the removal of copyright information while training AI models. The Verge reports: The publications said ChatGPT "at least some of the time" reproduces "verbatim or nearly verbatim copyright-protected works of journalism without providing author, title, copyright or terms of use information contained in those works." According to the plaintiffs, if ChatGPT trained on material that included copyright information, the chatbot "would have learned to communicate that information when providing responses."

Raw Story and AlterNet's lawsuit goes further (PDF), saying OpenAI and Microsoft "had reason to know that ChatGPT would be less popular and generate less revenue if users believed that ChatGPT responses violated third-party copyrights." Both Microsoft and OpenAI offer legal cover to paying customers in case they get sued for violating copyright for using Copilot or ChatGPT Enterprise. The lawsuits say that OpenAI and Microsoft are aware of potential copyright infringement. As evidence, the publications point to how OpenAI offers an opt-out system so website owners can block content from its web crawlers. The New York Times also filed a lawsuit in December against OpenAI, claiming ChatGPT faithfully reproduces journalistic work. OpenAI claims the publication exploited a bug on the chatbot to regurgitate its articles.

An anonymous reader quotes a report from Ars Technica: On Tuesday, ChatGPT users began reporting unexpected outputs from OpenAI's AI assistant, flooding the r/ChatGPT Reddit sub with reports of the AI assistant "having a stroke," "going insane," "rambling," and "losing it." OpenAI has acknowledged the problem and is working on a fix, but the experience serves as a high-profile example of how some people perceive malfunctioning large language models, which are designed to mimic humanlike output. ChatGPT is not alive and does not have a mind to lose, but tugging on human metaphors (called "anthropomorphization") seems to be the easiest way for most people to describe the unexpected outputs they have been seeing from the AI model. They're forced to use those terms because OpenAI doesn't share exactly how ChatGPT works under the hood; the underlying large language models function like a black box.

"It gave me the exact same feeling -- like watching someone slowly lose their mind either from psychosis or dementia," wrote a Reddit user named z3ldafitzgerald in response to a post about ChatGPT bugging out. "It's the first time anything AI related sincerely gave me the creeps." Some users even began questioning their own sanity. "What happened here? I asked if I could give my dog cheerios and then it started speaking complete nonsense and continued to do so. Is this normal? Also wtf is 'deeper talk' at the end?" Read through this series of screenshots below, and you'll see ChatGPT's outputs degrade in unexpected ways. [...]

So far, we've seen experts speculating that the problem could stem from ChatGPT having its temperature set too high (temperature is a property in AI that determines how wildly the LLM deviates from the most probable output), suddenly losing past context (the history of the conversation), or perhaps OpenAI is testing a new version of GPT-4 Turbo (the AI model that powers the subscription version of ChatGPT) that includes unexpected bugs. It could also be a bug in a side feature, such as the recently introduced "memory" function.

A software error on the part of Firefly Aerospace doomed Lockheed Martin's Electronic Steerable Antenna (ESA) demonstrator to a shorter-than-expected orbital life following a botched Alpha launch. From a report: According to Firefly's mission update, the error was in the Guidance, Navigation, and Control (GNC) software algorithm, preventing the system from sending the necessary pulse commands to the Reaction Control System (RCS) thrusters before the relight of the second stage. The result was that Lockheed's payload was left in the wrong orbit, and Firefly's engineers were left scratching their heads.

The launch on December 22, 2023 -- dubbed "Fly the Lightning" -- seemed to go well at first. It was the fourth for the Alpha, and after Firefly finally registered a successful launch a few months earlier in September, initial indications looked good. However, a burn of the second stage to circularize the orbit did not go to plan, and Lockheed's satellite was left in the wrong orbit, with little more than weeks remaining until it re-entered the atmosphere.

As it turned out, the Lockheed team completed their primary mission objectives. The payload was, after all, designed to demonstrate faster on-orbit sensor calibration. Just perhaps not quite that fast. Software issues aboard spacecraft are becoming depressingly commonplace. A recent example was the near disastrous first launch of Boeing's CST-100 Starliner, where iffy code could have led, in NASA parlance, to "spacecraft loss." In a recent interview with The Register, former Voyager scientist Garry Hunt questioned if the commercial spaceflight sector of today would take the same approach to quality as the boffins of the past.

Michael Larabel reports via Phoronix: With Valve's release today of the Steam Audio SDK 4.5.2 they have made the software development kit fully open-source under an Apache 2.0 license. Steam Audio 4.5.2 may not sound exciting in the context of a version number but as described in the release announcement is now "the first open source release of the Steam Audio SDK source code." The rest of this work in this Steam Audio SDK release amounts to bug fixes and other standard changes.

In a SteamCommunity.com announcement posted today entitled "Steam Audio Open Source Release," it notes: "The entire Steam Audio codebase, including both the SDK and all plugins, is now released under the Apache 2.0 license. This allows developers to use Steam Audio in commercial products, and to modify or redistribute it under their own licensing terms without having to include source code. We welcome contributions from developers who would like to fix bugs or add features to Steam Audio." You can learn more about Steam Audio via the project site.

An anonymous reader shared an news report: Microsoft has fixed an issue where its Edge browser was again misbehaving, this time by automatically importing browsing data and tabs from Chrome without consent. I personally experienced the bug last month, after I rebooted my PC for a regular Windows update and Microsoft Edge automatically opened with the Chrome tabs I was working on before the update. I asked Microsoft repeatedly to explain why this behavior had occurred for myself and many other Windows users, but the company refused to comment. Microsoft has now quietly issued a fix in the latest Microsoft Edge update.

Here's how Microsoft describes the fix: "Edge has a feature that provides an option to import browser data on each launch from other browsers with user consent. This feature's state might not have been syncing and displaying correctly across multiple devices. This is fixed."

From a blog post by Greg Kroah-Hartman: As was recently announced, the Linux kernel project has been accepted as a CVE Numbering Authority (CNA) for vulnerabilities found in Linux.

This is a trend, of more open source projects taking over the haphazard assignments of CVEs against their project by becoming a CNA so that no other group can assign CVEs without their involvment. Here's the curl project doing much the same thing for the same reasons. I'd like to point out the great work that the Python project has done in supporting this effort, and the OpenSSF project also encouraging it and providing documentation and help for open source projects to accomplish this. I'd also like to thank the cve.org group and board as they all made the application process very smooth for us and provided loads of help in making this all possible.

As many of you all know, I have talked a lot about CVEs in the past, and yes, I think the system overall is broken in many ways, but this change is a way for us to take more responsibility for this, and hopefully make the process better over time. It's also work that it looks like all open source projects might be mandated to do with the recent rules and laws being enacted in different parts of the world, so having this in place with the kernel will allow us to notify all sorts of different CNA-like organizations if needed in the future.
Kroah-Hartman links to his post on the kernel mailing list for "more details about how this is all going to work for the kernel." [D]ue to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team are overly cautious and assign CVE numbers to any bugfix that they identify. This explains the seemingly large number of CVEs that are issued by the Linux kernel team...

No CVEs will be assigned for unfixed security issues in the Linux kernel, assignment will only happen after a fix is available as it can be properly tracked that way by the git commit id of the original fix. No CVEs will be assigned for any issue found in a version of the kernel that is not currently being actively supported by the Stable/LTS kernel team.
alanw (Slashdot reader #1,822) worries this could overwhelm the CVE infrastructure, pointing to an ongoing discussion at LWN.net.

But reached for a comment, Greg Kroah-Hartman thinks there's been a misunderstanding. He told Slashdot that the CVE group "explicitly asked for this as part of our application... so if they are comfortable with it, why is no one else?"