What does it mean to cherry-pick a vulnerability fix?
In Git, cherry-pick means taking a specific commit from one branch and applying it to another branch without merging any of the other changes on that branch. It is possible to use a git cherry-pick to apply a security patch (commit) from one branch or version to another. However, this means the change is committed before it has been officially merged or approved.
How to tell if an advisory was fixed by a cherry-pick
It’s not always possible to tell, but typically, when a package is manually fixed via a git cherry-pick, the security advisory will note the package version epoch. For example, CVE-2025-11495 for binutils which was fixed by package version epoch 2.45-r2.The package version epoch is a version that incorporates alphabetical characters that cannot always be compared reliably. It is typically used to resolve an upgrade ordering issue as a result of upstream changes, as in the case of cherry-picked commits.
Sometimes, a fix may become available in a yet-unreleased commit to the project’s source or via an external patch (from a mailing list or another equivalent source) before it is officially accepted. In such cases, there is some potential benefit to be gained from resolving the vulnerability earlier, but it must be balanced with the risk of introducing fixes that have not been sufficiently tested.
At Minimus, we aim to balance these competing considerations according to our understanding of security principles. Vulnerability and exploit intelligence always drive our decisions. In such cases, our goal at Minimus is to balance the risk of leaving vulnerabilities unpatched with the risk of incorporating fixes that haven’t been extensively tested and could introduce regressions or worse.
Minimus will only consider patching a vulnerability via a git cherry-pick if the patch does not present the risk of introducing a regression greater than the potential impact of exploitation. That is, the potential risk of exploitation must justify the risk of committing the fix before it has been fully tested. This efficacy criterion supersedes all other criteria stated below.When an effective patch is available, Minimus will patch a vulnerability via a cherry-pick fix in the following cases:
If a vulnerability is labeled as an Active Exploit in the Minimus console, regardless of severity.
If a vulnerability is labeled as a Likely Exploit in the Minimus console, and the vulnerability is of critical or high severity.
The Likely Exploit label is applied to vulnerabilities with an exploitability probability score above 60%.
An EPSS probability score of 60% is in the 98th percentile. In other words, fewer than 2% of vulnerabilities have an EPSS probability score of 60% or higher. Learn more
Minimus may choose to address vulnerabilities that don’t meet the above criteria when the team determines that the benefits outweigh the potential risks. Minimus reserves the right, at its discretion, to apply a cherry-picked fix to vulnerabilites that are below the EPSS threshold to be considered a Likely Exploit by Minimus. The higher the severity, the more likely that Minimus will choose to apply the cherry-picked patch.
Please get in touch with us directly if you would like to submit a request to have us address a specific vulnerability via a cherry-pick. Contact us directlyPlease provide a business impact statement with your request to help us better understand your needs.
