The priorities assigned to vulnerabilities in Ubuntu are for prioritizing the work of when CVEs will be fixed as opposed to just an assessment of severity, importance or risk. The priority is based on many factors including severity, importance, risk, install base, software configuration, active exploitation and other factors which may adjust the impact of certain vulnerabilities such as Ubuntu's proactive security features. Importantly, these priority levels are distinct from other published severity levels such as CVSS as used in the National Vulnerability Database).
| Priority | Description |
|---|---|
| Unknown | Open vulnerability where the priority is currently unknown and needs to be triaged. |
| Negligible | Open vulnerability that may be a problem but otherwise does not impose a security risk due to various factors. Examples include when the vulnerability is only theoretical in nature, requires a very special situation, has almost no install base or does no real damage. These typically will not receive security updates unless there is an easy fix and some other issue causes an update. |
| Low | Open vulnerability that is a problem but does very little damage or is otherwise hard to exploit due to small user base or other factors such as requiring specific environment, uncommon configuration, user assistance, etc. These tend to be included in security updates only when higher priority issues require an update or if many low priority issues have built up. |
| Medium | Open vulnerability that is a real problem and is exploitable for many users of the affected software. Examples include network daemon denial of service, cross-site scripting and gaining user privileges. |
| High | Open vulnerability that is a real problem and is exploitable for many users in the default configuration of the affected software. Examples include serious remote denial of service of the system, local root privilege escalations or local data theft. |
| Critical | Open vulnerability that is a world-burning problem and is exploitable for most Ubuntu users. Examples include remote root privilege escalations or remote data theft. |