Linux Had 2,308 CVEs in the First Half of 2026 — More Than Any Other Platform

Greg Kroah-Hartman, one of Linux’s most active maintainers, posted the first-half 2026 vulnerability stats on his social feed Thursday. The numbers are striking — and they tell a story that goes well beyond which vendor had the worst quarter.

Linux topped every list. By vendor, the kernel collected 2,308 CVEs between January and June. Google came second with 1,752, followed by an “n/a” category at 1,308, Microsoft at 843, Oracle at 445, Adobe at 395, Red Hat at 340, Apache at 310, and Apple at 284.

By product, the picture is similar but not identical. Linux still leads with 2,309 CVEs. Chrome follows at 1,584. Then it’s n/a at 888, Windows 10 Version 1607 at 284, Firefox at 255, Android at 153, and iOS and iPadOS at 124.

A high CVE count is not the same as a security problem. Linux having the most reported vulnerabilities is, in some ways, a sign of health — it means more security researchers are looking at the code and filing reports. The same logic applies to Chrome and Google. These are the platforms under the most scrutiny, not necessarily the ones that leak data the fastest.

What’s more telling is who isn’t on the list. Proprietary software with small audit surfaces and closed-source vendors that don’t participate in the CVE process can appear clean by comparison. The absence of a number is not the same as a clean bill of health.

Some numbers stand out. Windows 10 Version 1607 — a build that’s nearly a decade old — still logged 284 CVEs in six months. That’s worth sitting with. Android, the world’s most widely used operating system, reported only 153 product-level CVEs. That number feels low for a platform running on billions of devices.

The data is pulled from public CVE records and compiled by Kroah-Hartman from the kernel.org social instance. The full breakdown includes a second set sorted by product that mostly mirrors the vendor rankings, with Linux and Chrome holding the top two spots comfortably.

None of this is a scoreboard. But it is a map of where the security community is spending its attention.