BGC Risk Score
Blue Goat Cyber MedTech rubric v1.0 · methodology
Not published
No direct patient impact inferred
On CISA KEV (in-the-wild)
4/10 network-reachable signals
How we got to 4.2
- 1
CVSS technical severity (40%)
Industry-standard exploitability + impact score. We prefer CVSS 4.0 and fall back to 3.1 per the FDA's Feb 2026 premarket cybersecurity guidance. Missing CVSS scores get a neutral 4.0 so unknown vulns are not over- or under-rated.
No CVSS published yet · neutral 4.0 × 40% = +1.60 - 2
Patient safety impact (35%)
What happens to a patient if this vuln is exploited on a connected device. Auto-inferred from headline, dek, tags, and device class against a curated MedTech keyword library (pacemaker, infusion pump, EHR, PACS, etc.).
No direct patient impact inferred → 2 × 35% = +0.70 - 3
Exploit maturity (15%)
Is anyone actually using this in attacks? KEV listing > weaponized exploit > public PoC > none. KEV alone forces tier=critical regardless of CVSS.
On CISA KEV (in-the-wild) → 10 × 15% = +1.50 - 4
MedTech exposure (10%)
How likely this affects clinical operations: presence in our MedTech feed (+4 baseline), network-reachable signals (+3), known device-class tags (+2), identified MedTech vendor (+1).
Exposure 4/10 × 10% = +0.40
Tier cutoffs: Critical ≥ 8.5 · High 7.0–8.4 · Notable 4.0–6.9 · Info < 4.0. Full methodology, weights, and changelog at /goatfeed/risk-rubric.
CVE: CVE-2018-14634
Vendor / product: Linux Kernel
KEV added: 2026-01-26 · Federal due date: 2026-02-16
Vulnerability
Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system.
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.