What is CVE and why is it important for the security of embedded systems?

Codiax 14 November 2025

CVE as a pillar of cybersecurity for embedded systems

The CVE system is used to maintain security in complex software environments. As embedded systems become increasingly connected, complex and dependent on open source, exposure to vulnerabilities increases. CVE thus serves as a tool to identify, classify and manage these risks in a standardised way, allowing for rapid remediation of flaws before they are exploited.

Two Codiax employees in front of a computer screen.

What does CVE mean and why is it used?

CVE stands for Common Vulnerabilities and Exposures and is a global system for identifying and cataloguing known vulnerabilities in embedded systems. Each vulnerability registered is given a unique CVE ID, for example CVE-2025-12345, which allows developers, vendors and security teams to talk about the same problem using a common language.

Common CVE vulnerabilities in Linux and Embedded

In the Linux world, new vulnerabilities are constantly being discovered, both in the Linux kernel and in many other open source packages used in Linux systems. When reviewing newly discovered CVEs for a Linux system, the Linux kernel often accounts for more than half of the vulnerabilities. The others are spread fairly evenly across other software packages, such as OpenSSL, Python and curl, all of which are particularly important to the security of the system.

Prioritise relevant CVEs in the Linux kernel

The fact that the Linux kernel accounts for such a large proportion of reported CVEs is partly due to the fact that it is a large and security-critical piece of software, but mainly because kernel developers now report almost every bug found as a CVE. This is simply because many bugs in the kernel code can potentially be exploited as vulnerabilities, and it is often too difficult to be absolutely sure that this does not happen.

The CVEs affecting the kernel are spread across all kernel subsystems and supported architectures. With good knowledge of your system's usage - which subsystems are used and which functions are active - you can filter out many of the CVEs reported as not applicable to your system at an early stage. This makes it easier to keep your system secure and focus on the vulnerabilities that actually pose a risk.

How organisations can monitor and manage CVEs

All companies managing open source systems should scan themselves, or through an external organisation, for new and updated CVEs that affect the software packages used. Here is how it works:

  • Step 1: Scanning the CVE database

  • Create a Software Bill of Materials (SBOM), i.e. a complete list of all software packages included in your systems. This forms the basis for linking CVEs to the right components.

    Scan the CVE database for new and updated vulnerabilities affecting your packages using tools that support this. There are various tool supports for scanning CVEs. The Yocto project offers, among other things, the possibility to scan for new CVEs when building Linux platforms. In Yocto, you can easily mark CVEs as managed for future scans.

  • Step 2: Assess and manage the results

  • After the scan is completed, you need to review all CVEs and make judgements about whether or not they are applicable to your system. Document your decisions for future scans and fix the CVEs that are deemed to have an impact on your system.

  • Step 3: Fixing vulnerabilities

  • Identify the CVEs that affect your system and fix them. This may involve patching a software package, upgrading to a newer version, or changing the system design so that the vulnerability no longer applies.

  • Step 4: Follow up and report

  • Repeat the process regularly and compile reports on the status. If you are unsure, you can get help from us at Codiax. With the Codiax CMP we perform scans, assessments, actions and produce reports that tell us the state of our customers' Linux platforms.

A Codiax employee sitting at the computer.

What happens if you ignore CVE vulnerabilities?

The risks of ignoring vulnerabilities are numerous and serious. For example, the system you build and resell may be subject to attack and takeover by third parties. This can lead to operational disruptions, financial losses or even threats to human security.

In addition, the system will not fulfil government directives, including:

  • Cyber Resilience Act (CRA) requires that products with digital elements are safe throughout their life cycle.
  • Network and Information Security Directive (NIS2) imposes incident reporting and risk management requirements on critical infrastructure providers.
  • European Union's Radio Equipment Directive (RED) covers cybersecurity requirements for wireless equipment, aiming to protect against network attacks, data loss and resource misuse.

In the worst case, the lack of certifications according to these directives could mean that the system you build is banned from sale.

Codiax helps you scan your CVE database

At Codiax, we are happy to help you with scanning, analysing, taking action and reporting. This way, you can rest assured that your products comply with all applicable cybersecurity directives and standards.

Contact CVE Management