KB-CVE Mappings

The KB-CVE Mappings page provides visibility into how Microsoft Knowledge Base (KB) patches relate to the CVEs they fix. This information is crucial for accurate vulnerability exposure calculations on Windows systems.

Why KB-CVE Mappings Matter

When calculating vulnerability exposure, it's not enough to know which CVEs affect your software—you also need to know which CVEs have already been patched. KB-CVE mappings enable NopeSight to:

Reduce False Positives: Exclude CVEs that are already fixed by installed patches
Calculate True Exposure: Show only vulnerabilities that are actually unpatched
Prioritize Remediation: Focus on vulnerabilities without available fixes

Accessing KB-CVE Mappings

Navigate to SAM in the main menu
Under Vulnerability Management, click KB-CVE Mappings

Understanding KB-CVE Mappings

Summary Statistics

Metric	Description
KB Articles	Total Microsoft patches in the database
Unique CVEs	Number of CVEs addressed by tracked patches
Critical	Patches addressing critical severity CVEs
Important	Patches addressing important severity CVEs
Moderate	Patches addressing moderate severity CVEs

Search and Filters

Search: Find specific KB articles by number or title
Severity: Filter by patch severity level
Date Range: Find patches released within a specific period

KB Mapping Details

Each KB entry shows:

Field	Description
KB ID	Microsoft Knowledge Base identifier (e.g., KB5034441)
Title	Description of the security update
Release Date	When the patch was released
Severity	Overall severity rating
CVEs Fixed	List of CVEs addressed by this patch
Affected Products	Windows versions this patch applies to

How KB-CVE Mapping Works

Data Collection Flow

Microsoft MSRC API
        │
        ├─→ Security Update Information
        │         │
        │         └─→ KB Articles
        │                 │
        │                 └─→ CVEs Fixed per KB
        │
        └─→ NopeSight KB-CVE Mappings Database
                          │
                          ▼
                Windows Device Discovery
                          │
                          ├─→ Installed Hotfixes (KBs)
                          │
                          └─→ Patched CVE Identification
                                    │
                                    ▼
                          Accurate Exposure Calculation

During Vulnerability Assessment

CVE Identification: NopeSight identifies CVEs affecting installed software
KB Lookup: Installed patches are retrieved from device scan data
Mapping Check: Each installed KB is checked for CVEs it fixes
Exclusion: Fixed CVEs are excluded from the vulnerability report
True Exposure: Only unpatched vulnerabilities are reported

Practical Example

Consider a Windows Server with the following scenario:

Installed Software: Windows Server 2022, SQL Server 2019

Potential CVEs:

CVE-2024-21302 (Windows Kernel)
CVE-2024-21303 (SQL Server)
CVE-2024-21304 (Windows RDP)

Installed Patches: KB5034123

KB-CVE Mapping Shows: KB5034123 fixes CVE-2024-21302 and CVE-2024-21304

Result: Only CVE-2024-21303 appears in the vulnerability report

Understanding Patch Relationships

Supersession

Microsoft patches often replace (supersede) older patches:

Superseded By: A newer patch that includes all fixes from this one
Supersedes: Older patches that this KB replaces

When a newer cumulative update is installed, it typically includes fixes from previous updates.

Cumulative Updates

Windows uses cumulative updates that include:

All previous security fixes
Quality improvements
Previous cumulative update content

This means installing the latest cumulative update provides protection for many older CVEs.

Using KB-CVE Mappings

Verify Patch Coverage

To check if a specific CVE is addressed:

Search for the CVE ID
Review which KBs fix that CVE
Check if those KBs are installed on affected systems

Plan Patch Deployment

When planning updates:

Identify high-priority unpatched CVEs
Find KBs that address those CVEs
Verify KB compatibility with your Windows versions
Schedule deployment

Audit Patch Status

For compliance and auditing:

Export KB mapping data
Cross-reference with installed patches
Document patching coverage
Identify gaps in coverage

Data Freshness

KB-CVE mappings are synchronized from Microsoft Security Response Center (MSRC):

Automatic Updates: Data is refreshed periodically
Patch Tuesday: New mappings added after monthly security releases
Out-of-Band Updates: Emergency patches are added as released

Patch Tuesday

Microsoft releases security updates on the second Tuesday of each month. New KB-CVE mappings are typically available within 24-48 hours of release.

Limitations

Windows-Specific

KB-CVE mappings apply only to Microsoft products. For other software:

Check vendor security advisories
Monitor software-specific update channels
Review CVE references for patch information

Mapping Completeness

Not all KBs have CVE mappings:

Quality updates may not address specific CVEs
Some fixes are proactive rather than vulnerability-related
Feature updates have separate tracking

Active Vulnerabilities - Managing discovered vulnerabilities
CVE Database - Exploring vulnerability details
CPE Dictionary - Understanding software identification

Why KB-CVE Mappings Matter​

Accessing KB-CVE Mappings​

Understanding KB-CVE Mappings​

Summary Statistics​

Search and Filters​

KB Mapping Details​

How KB-CVE Mapping Works​

Data Collection Flow​

During Vulnerability Assessment​

Practical Example​

Understanding Patch Relationships​

Supersession​

Cumulative Updates​

Using KB-CVE Mappings​

Verify Patch Coverage​

Plan Patch Deployment​

Audit Patch Status​

Data Freshness​

Limitations​

Windows-Specific​

Mapping Completeness​

Related Topics​