* Maxim Kuvyrkov: > The problem is fairly target-dependent, so architecture maintainers > need to look at how stack-guard canaries and their addresses are > handled and whether they can be spilled onto stack. > > It appears we need to poll architecture maintainers before filing the CVE.
One CVE ID by identified affected architecture would work as well. MITRE cares about affected software *versions* as well, and since the targets were added at different GCC versions (or stack protector support was added), the CVE IDs should be split in most cases anyway.
