Which Software Had The Most Vulnerabilities In 2016?

Which Software Had The Most Vulnerabilities In 2016?
Image: CVE Details

2016 was not a good year for Google and Linux software in terms of security vulnerabilities. Here’s the list of the top 20 software with the most security flaws in 2016.

Security firm CVE Details has released its list of the top 50 software with the most number of distinct vulnerabilities in 2016. Security flaws range from denial of service (DoS) to code execution and privilege escalation.

While Mac OSX topped the list in 2015, Android took first place in 2016 with a whopping 523 vulnerabilities. The Debian distribution of Linux saw a steep jump in security flaws and shot up the list to take the second spot. This was followed by Ubuntu Linux, which saw a modest increase in vulnerabilities.

Here’s a breakdown of the top 20 list:

Rank Destination # of vulnerabilities Rank Destination # of vulnerabilities
1 Android (Google) 523 11 Mac OSX (Apple) 215
2 Debian Linux (Debian) 319 12 Reader (Adobe) 204
3 Ubuntu Linux (Ubuntu) 278 13 Chrome (Google) 149
4 Flash Player (Adobe) 266 14 Windows 10 (Microsoft) 172
5 Leap (Novell) 259 15 iPhone OS (Apple) 161
6 OpenSUSE (Novell) 228 16 Windows Server 2012 (Microsoft) 156
7 Acrobat Reader Dc (Adobe) 227 17 Windows 8.1 (Microsoft) 154
8 Adobe DC (Adobe) 227 18 Windows RT 8.1 (Microsoft) 139
9 Acrobat (Adobe) 224 19 Edge (Microsoft) 135
10 Linux Kernel (Linux) 217 20 Windows 7 (Microsoft) 134

You can compare the results with the 2015 list here.

It’s worth noting the CVE Details list itself doesn’t breakdown the severity of the vulnerabilities, it simply aggregates them. The list also doesn’t differentiate between different versions of some of the software; for example, vulnerabilities for various versions of Mac OSX are lumped together. The same thing goes for Android.

You’ll also notice that different versions of Windows OS are listed out separately. We can only assume that’s because Microsoft, up until Windows 10, released standalone Windows OS.

Look, no vulnerabilities list is perfect but they do provide some insights into security trends that IT professionals need to be aware of.

Given the large marketshare Android has in the mobile OS market, it’s no surprise that there has been a sharp rise in vulnerabilities for the operating system.

What is interesting to highlight is the high number of vulnerabilities found on Linux operating systems. Debian, Ubuntu, OpenSUSE (including Leap) and the Linux kernel itself all made the list. While there may still be some lingering impression that Linux-based operating systems are extremely secure, that’s obviously not the case.

Sure, there may not be as many people running Linux on their desktops compared to Windows and Mac OS, but the operating system is extremely popular in the server space. Let’s not forget that Android itself is also Linux-based. Having said that, it’s still easier to secure Linux operating systems compared to, say, Windows; it’s just important to remember that Linux isn’t infallible when it comes to security. The most notable vulnerability for Linux in 2016 was Dirty Cow.

As a bonus, CVE Details has also created a graph that consolidated the 2016 results by vendor:

You can head over to CVE Details for a detailed breakdown of the different types of vulnerabilities that were reported for each software in 2016.


  • Wow…Edge had less than Chrome, that’s something I didn’t think would happen considering the age of the two. Android number one on the list…..I would like to see where all Mobile Phone OS security sit which each other, including WebOS, Win10 Mobile, Blackberry and any others.

  • Interesting, but I’m having a tough time calling the numbers useful.
    There are really important confounding factors such as:

    -Is (say) a problem in html one vulnerability, or a vulnerability in 20 operating systems?

    -Is a vulnerability which exposes my print queue comparable to one which exposes system root?

    -If you run a program finding and fixing vulnerabilities, is your system less safe than a company which waits for the hackers to find them?

    • 1) not exactly sure what you’re trying to say? do you mean like if there’s a CVE for HTML5.1 ,etc then does it affect all OS’s? depends on the browser usually more than the OS.
      2) A lot of them are privilege escalation yes so the print que could potentially lead to root access. That said… a lot of the are DOS type vulnerabilities; that’s not to say a DOS can’t lead to priv escalation.
      3)of course the company that takes extra steps to patch vulns is more safe! if it’s a targeted attack ie a specific company then it helps but not as much. If they are basically spearfishing like just randomly scanning subnets for unpatched software and vulns ,etc then yes obviously patching will prevent this, sometimes they are just looking for something that’s easy and if x target has knwon CVE’s then of course you going to go after x company instead of y.

      But I agree the numbers may be off. Firstly microsoft windows 10 is closed source (mostly) compared to Debian which is mostly open source. what I’m saying is that there are literally millions of people building and debuging debian compared to win 10 and these other companies so of course just by sheer number of people you’re going to find more vulns. its like the OSX argument….OSX has hardly any exploits. that’s not true it’s just the target size is < windows so less work goes into discovering exploits ,etc. on the flip side it means they (linux/open source) get patched quicker so in turn more vulns discovered = safer code ,etc. So take it with a grain of salt. as usual you should still be worried about Adobe (thanks google for disabling flash though…finally) lastly make no mistake there are dozens of zero-day osx and win10 exploits out there. bottom line if some one with resources wants access to your comp they’re going to get it.

  • Obviously it’s not great news that Android tops the list. But I’d be interested to see this with context. For example, how many require physical possession of the device, how many require existing root, what damage/control do they cause and so on.

    Given Google sponsor white-hat conferences and pay bounties on exploits, I suppose it’s not surprising there are lots. Though the number the average user with an OEM locked device needs to worry about is probably somewhat lower.

    The big concern, but also no surprise, from this list is Flash Player. It may “only” be at #4, but the three above are all complex OSes. Flash is just one application.

  • I am not surprised that Debian and other Linux variants are high up the list, since its developers actively search for vulnerabilities. And publish them. And in most cases even fix them. Which is not the case with all proprietary OSs. A list of fixed vulnerabilities would be interesting in this context. Worth to mention would be that fixed issues in Debian are also fixed in its derivatives (like Ubuntu).

Show more comments

Comments are closed.

Log in to comment on this story!