June 27, 2026
CVE’s: Cataloging the Cracks in Our Code
There’s really no better icebreaker than a good scary story……
By Namansharma
3 min read
There's really no better icebreaker than a good scary story……
In December 2021, a single logging library brought the internet to its knees. A researcher disclosed that Apache Log4j — used by virtually every Java application on Earth — had a flaw so trivial to exploit that a single string in a chat message, search box, or HTTP header could give an attacker full remote code execution on the server. No authentication. No special access. Just paste a string.
Within hours, attackers were scanning the entire internet. Minecraft servers, Apple iCloud, AWS, Twitter, Cloudflare, Steam — all vulnerable. Governments issued emergency directives. Companies pulled all-nighters patching systems they didn't even know used Log4j.
Its name: CVE-2021–44228. Its nickname: Log4Shell. Its CVSS score: 10.0 — the maximum. Red Hat Article
— -
But what in God's name is a CVE & what damage can it do ???
CVE stands for Common Vulnerabilities and Exposures. It's not a tool, not a scanner, not a fix — it's a dictionary. A globally unique ID assigned to a publicly known security flaw.
Format: CVE-[YEAR]-[SEQUENTIAL NUMBER]
That's it. A CVE is just a name tag so that when Red Hat, Google, NIST, your security scanner, and a random researcher are all talking about the same bug, they can confirm they mean the same bug.
*A CVE itself does nothing — it's the vulnerability it names that does damage. Exploited CVEs can enable:
- Remote Code Execution (RCE) — attacker runs arbitrary code on your machine
- Privilege Escalation — low-privilege user becomes root
- Data Exfiltration — read secrets, databases, keys
- Denial of Service — crash a service or an entire cluster
- Container Escape — break out of a container onto the host node
- Supply Chain Compromise — poison a dependency that millions of projects use — -
— -
Anddd…..How is the CVSS Score Calculated 🤔
CVSS (Common Vulnerability Scoring System) gives every CVE a severity score from 0–10. The current version is CVSS v3.1
The score is built from three metric groups, but the Base Score is what you see published:
Base Score Metrics
The base score is computed from 8 factors split into two categories:
Exploitability Metrics (how easy is it to exploit):
| Metric | Question it answers | Values | | — — — — | — — — — — — — — — -| — — — — | | **Attack Vector (**AV) | Where must the attacker be? | Network / Adjacent / Local / Physical | | Attack Complexity (AC) | Does it need special conditions? | Low / High | | Privileges Required (PR) | Does the attacker need an account? | None / Low / High | | User Interaction (UI) | Must a victim click something? | None / Required |
Impact Metrics* (how bad is the damage 🚨):
| Metric | Question it answers | Values | | — — — — | — — — — — — — — — -| — — — — | | Confidentiality © | Can attacker read data? | None / Low / High | | Integrity (I) | Can attacker modify data? | None / Low / High | | Availability (A) | Can attacker crash the system? | None / Low / High | | Scope (S) | Does it break out of its security boundary? | Unchanged / Changed |
Final Calulation
**CVSS Base Score** = Roundup(min(Impact + Exploitability, 10))
_Where_:
Exploitability = 8.22 × AV × AC × PR × UI
Impact = depends on Scope (Changed vs Unchanged), using C, I, A values**CVSS Base Score** = Roundup(min(Impact + Exploitability, 10))
_Where_:
Exploitability = 8.22 × AV × AC × PR × UI
Impact = depends on Scope (Changed vs Unchanged), using C, I, A valuesEach metric value maps to a decimal weight (e.g., AV:Network = 0.85, AV:Physical = 0.20).
Severity Ratings
| Score | Rating | | — — — -| — — — — | | 0.0 | None | | 0.1–3.9 | Low | | 4.0–6.9 | Medium | | 7.0–8.9 | High | | 9.0–10.0 | Critical |
Why Log4Shell Scored 10.0 ⚠️
- Attack Vector: Network (just send a string over HTTP) - Attack Complexity: Low (no special conditions) - Privileges Required: None (no authentication needed) - User Interaction: None (no victim action needed) - Scope: Changed (escapes the logging context, compromises the whole server) - Confidentiality/Integrity/Availability: High/High/High
Every dial turned to maximum = 10.0.
— -
The Lifecycle of a CVE
Discovery → Report to vendor → CVE ID assigned → Patch developed
→ Public disclosure (with fix) → Scanners update → You patchDiscovery → Report to vendor → CVE ID assigned → Patch developed
→ Public disclosure (with fix) → Scanners update → You patchThe window between public disclosure and your patch is when attackers strike. This is why "patch Tuesday, exploit Wednesday" is a real phenomenon.
Some Infamous Incidents
- Log4Shell (CVE-2021–44228) — RCE via a logging library, CVSS 10.0
- Heartbleed (CVE-2014–0160) — OpenSSL memory leak exposing private keys
- Shellshock (CVE-2014–6271) — Bash RCE via environment variables
- Dirty COW (CVE-2016–5195) — Linux kernel privilege escalation via copy-on-write race
- SolarWinds/SUNBURST (CVE-2020–10148) — supply chain backdoor in Orion platform
- Kubernetes CrashLoopBackoff Escape (CVE-2019–5736) — container escape via runc
— Signing Out 🫡
Naman Sharma Red Hat — SME Openshift