Does CVE always has a fixed patch?

Question

I'm not sure if there is always a patch to the corresponding CVE ?

And what if patch_a doesn't fix the CVE properly and then here comes patch_b, so there are two patches to fix one certain CVE. In this case will the CVE reference updated?

Answer 1

To give a correct answer we have to check the CVE publication processes,

To begin, the person who find a vulnerability have to tell it to the editor of the impacted product. After that, the editor have a period to provide a patch. After this period the vulnerability is published.

Usually the editor have already create a patch and the website who publish the CVE give a link to the patch. But sometime, after the period there's no patch. Sometime the editor made the decision not to provide a patch. many reason for that :

• The impacted product are not supported ;
• The editor did not have enough time to provide a patch. So it is therefore possible not to find a patch for a CVE.

For the second question, usually, when a patch does not fix properly a vulnerability a second CVE ID are created with a new patch.

Answer 2

Correct answer:

A CVE identifies a vulnerability or exposure, to quote the cve.org website: "CVE® Program Mission Identify, define, and catalog publicly disclosed cybersecurity vulnerabilities"

If a CVE is assigned, and a patch is issued that claims to fix the CVE, but fails to fix it, or incompletely fixes it, or creates a new vulnerability, well, you win a new CVE. Examples would be easily found by searching for "NOTE: this issue exists because of an incomplete fix for CVE" e.g. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=because+of+an+incomplete+fix+for