Public CVE Feed
A public, unauthenticated feed of every Linux kernel CVE we track — in OSV 1.6 and CycloneDX VDR formats. Plug it into Dependency-Track, Trivy, Grype, Renovate, or your own pipeline alongside your existing sources. Same CVE IDs as NVD, just earlier.
NVD lag killer for kernel CVEs.
kernel.org publishes new CVEs to cvelistV5 within hours
of disclosure; NVD enrichment commonly trails by 1–4 weeks and
sometimes never catches up. We pull cvelistV5 directly
and re-publish it in scanner-native formats so your tooling sees
kernel CVEs the same day they land — not the same month.
Quick start
The manifest at /feed/index.json is fully public. Every
other endpoint needs a free KernelScan account:
register, generate a personal access
token from the Account page, and send it as a
Bearer header.
# Manifest — public, no auth needed
curl https://kernelscan.io/feed/index.json
# Set your token once
export KS_TOKEN=ks_live_…
# OSV — every kernel CVE in one array
curl -H "Authorization: Bearer $KS_TOKEN" https://kernelscan.io/feed/osv/all.json
# CycloneDX VDR — every kernel CVE in one BOM
curl -H "Authorization: Bearer $KS_TOKEN" https://kernelscan.io/feed/cyclonedx/all.json
# A single CVE
curl -H "Authorization: Bearer $KS_TOKEN" https://kernelscan.io/feed/osv/CVE-2024-12345.json
curl -H "Authorization: Bearer $KS_TOKEN" https://kernelscan.io/feed/cyclonedx/CVE-2024-12345.jsonEndpoints
Manifest
Top-level metadata: total CVE count, last-modified timestamp, license, and the URLs of every other endpoint. Cheap to poll.
OSV — bulk
JSON array of OSV 1.6 records — one per kernel CVE we track. The drop-in input for OSV-Scanner, Trivy's OSV mode, and Dependency-Track's OSV mirror.
OSV — per CVE
One OSV 1.6 record. Use when you only need a single CVE — handy for webhooks and CI fingerprinting.
CycloneDX VDR — bulk
A single CycloneDX 1.6 Vulnerability Disclosure Report containing every kernel CVE. Native to Dependency-Track; richer property layout than OSV for our AI-extended fields.
CycloneDX VDR — per CVE
A single-vulnerability VDR. Same shape as the bulk endpoint, scoped to one CVE.
Freshness
Our pipeline polls cvelistV5 hourly and the NVD API on a
rolling cadence. New CVEs land in this feed within ~4 hours of CNA
publication; AI-generated CVSS / CWE follows once auditing completes
(typically minutes after that).
Every response carries a Last-Modified header and
X-KernelScan-Feed-* headers describing tier and license.
/feed/index.json exposes the same timestamp as a JSON
field for clients that prefer in-band metadata.
What's in the feed by tier
The same URL serves all logged-in users. Free accounts get a moving 60-day window of recently-published kernel CVEs plus AI-calculated CVSS / severity / vector / CWE — enough to keep Dependency-Track and friends current on new disclosures. Basic+ plans (Basic, Pro, Enterprise) additionally unlock the full historical corpus, the AI-generated risk summary, and the vulnerability analysis.
| Field | Free account | Basic+ account |
|---|---|---|
| Coverage window | Last 60 days | All tracked CVEs |
| CVE ID, description, references, fix versions | Yes | Yes |
| NVD CVSS / CWE (when available) | Yes | Yes |
| AI-calculated CVSS, severity, vector, CWE | Yes | Yes |
| Affected component, classification, CISA KEV flag | Yes | Yes |
| AI risk summary | — | Yes |
| AI vulnerability analysis | — | Yes |
| CONFIG_* dependency mapping, factor verdicts | Paid product | Paid product |
Config-gated applicability ("does my kernel build need this patch?") is the core of our paid product and stays out of the feed. The feed makes a CVE more actionable in isolation; the paid product makes it actionable for your specific kernel.
Using with Dependency-Track
DT 4.x doesn't forward Authorization headers to its OSV
mirror loader, so the integration uses a per-user URL-embedded token
instead. Generate a Dependency-Track URL from the
Account page and paste it into DT's
Administration → Vulnerability Sources → OSV → Mirror URL
field; the credential rides in the path.
See the Dependency-Track Integration guide for the full walkthrough including DT property names, throughput shaping, and rotation. The same tier rules apply: free accounts get the rolling 60-day window, Basic+ gets the full corpus.
Each record's primary id is namespaced
(KSCAN-CVE-YYYY-NNNNN) and the canonical
CVE-YYYY-NNNNN id ships in aliases — exactly
the pattern GHSA records use. DT registers us as a distinct source,
then collapses our record into the same finding as NVD's via the
alias. One row per CVE in your findings view, both sources visible,
one audit trail.
Set DT's per-source field priority so KernelScan ranks above NVD for CVSS / severity / CWE. During the NVD lag window the analyst sees our AI-derived scores instead of "Unassigned"; once NVD catches up both sources show side-by-side and the analyst can compare.
License & attribution
Feed contents are provided under Creative Commons Attribution 4.0 International (CC-BY-4.0). You may freely redistribute, mirror, and integrate this feed into commercial or open-source products, including SBOM and vulnerability scanning pipelines.
Attribution requirement: a visible note crediting KernelScan
(https://kernelscan.io) wherever the data is surfaced to
end users — typically in your tool's vulnerability source list or a
comparable "data sources" page. Each record carries the attribution
string in database_specific.kernelscan.attribution
(OSV) or kernelscan.io:attribution (CycloneDX) so it
flows through automatically.
What you get out of the box
- Records keyed by
KSCAN-CVE-YYYY-NNNNNwith the CVE id inaliases— DT collapses to one finding, both sources attributed - Per-LTS-branch fix versions (mainline, 6.6, 6.1, 5.15, …) as separate ranges
- NVD CVSS / CWE when present, AI-generated CVSS / CWE always
- Direct kernel.org and patch URLs as
FIXreferences - CISA KEV exposure flag per CVE
- Engine version stamped on every record for provenance
Questions, integration help, or issues with the feed? Email hello@kernelscan.io or open an issue on GitHub.