Why do the USNs in the Stemcell Release Notes Have a Different Severity than the CVSS Score?
search cancel

Why do the USNs in the Stemcell Release Notes Have a Different Severity than the CVSS Score?

book

Article ID: 440958

calendar_today

Updated On:

Products

VMware Tanzu Platform Core

Issue/Introduction

On the stemcell release notes page, the listed priority of a USN and/or CVE is different than the CVSS score or the score provided by your scanner

Example:

Title: USN-8227-1 – curl vulnerabilities
URL: https://ubuntu.com/security/notices/USN-8227-1
Priorities: low,medium
CVEs:
- CVE-2026-6276
- CVE-2026-5773
- CVE-2026-7168
- CVE-2026-5545
- CVE-2026-6253
- CVE-2026-6429
- CVE-2026-4873

Resolution

The priorities listed on the release notes page come from Ubuntu's priority levels. These may be different than the CVSS and other scores. 

For example, CVE-2026-6276 has a high CVSS score but upstream has defined it as low severity

Powered by Wolken Software