linaro CVE Vulnerabilities & Metrics

Focus on linaro vulnerabilities and metrics.

Last updated: 16 Jun 2026, 22:25 UTC

About linaro Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with linaro. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total linaro CVEs: 7
Earliest CVE date: 19 Jun 2018, 05:29 UTC
Latest CVE date: 01 May 2026, 17:16 UTC

Latest CVE reference: CVE-2026-37540

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical linaro CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.07

Max CVSS: 6.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	3
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS linaro CVEs

These are the five CVEs with the highest CVSS scores for linaro, sorted by severity first and recency.

CVE-2018-12565 linaro Published on 19 Jun 2018, 05:29 UTC (CVSS: 6.5)
An issue was discovered in Linaro LAVA before 2018.5.post1. Because of use of yaml.load() instead of yaml.safe_load() when parsing user data, remote code execution can occur.
CVE-2018-12564 linaro Published on 19 Jun 2018, 05:29 UTC (CVSS: 4.0)
An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for URLs in the submit page, a user can forge an HTTP request that will force lava-server-gunicorn to return any file on the server that is readable by lavaserver and valid yaml.
CVE-2018-12563 linaro Published on 19 Jun 2018, 05:29 UTC (CVSS: 4.0)
An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for file: URLs, a user can force lava-server-gunicorn to download any file from the filesystem if it's readable by lavaserver and valid yaml.
CVE-2026-37540 linaro Published on 01 May 2026, 17:16 UTC (CVSS: 0)
OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap around to a small value.
CVE-2022-45132 linaro Published on 18 Nov 2022, 23:15 UTC (CVSS: 0)
In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.

All CVEs for linaro

CVE-2026-37540 linaro vulnerability CVSS: 0 01 May 2026, 17:16 UTC

OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap around to a small value.

CVE-2022-45132 linaro vulnerability CVSS: 0 18 Nov 2022, 23:15 UTC

In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input as a Jinja2 template in a way that can be used to trigger remote code execution in the LAVA server.

CVE-2022-44641 linaro vulnerability CVSS: 0 18 Nov 2022, 21:15 UTC

In Linaro Automated Validation Architecture (LAVA) before 2022.11, users with valid credentials can submit crafted XMLRPC requests that cause a recursive XML entity expansion, leading to excessive use of memory on the server and a Denial of Service.

CVE-2022-42902 linaro vulnerability CVSS: 0 13 Oct 2022, 03:15 UTC

In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.

CVE-2018-12565 linaro vulnerability CVSS: 6.5 19 Jun 2018, 05:29 UTC

An issue was discovered in Linaro LAVA before 2018.5.post1. Because of use of yaml.load() instead of yaml.safe_load() when parsing user data, remote code execution can occur.

CVE-2018-12564 linaro vulnerability CVSS: 4.0 19 Jun 2018, 05:29 UTC

An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for URLs in the submit page, a user can forge an HTTP request that will force lava-server-gunicorn to return any file on the server that is readable by lavaserver and valid yaml.

CVE-2018-12563 linaro vulnerability CVSS: 4.0 19 Jun 2018, 05:29 UTC

An issue was discovered in Linaro LAVA before 2018.5.post1. Because of support for file: URLs, a user can force lava-server-gunicorn to download any file from the filesystem if it's readable by lavaserver and valid yaml.