Ghostboard pixel

Linux Kernel Bugs Hide for 2+ Years on Average

Study of 20 years of kernel history finds bugs hide for 2+ years on average, some for decades.
Sourav Rudra
3 min read
Warp Terminal

It was not too long ago we talked about the first Rust CVE in the Linux kernel, which caused system crashes. That same day, 159 other CVEs were issued for C code. While that shows progress with Rust, it also highlights something more concerning; the kernel has bugs that hide for years before anyone finds them.

A research blog published on Pebblebed demonstrates how bugs often stay hidden for years before they are discovered and fixed.

🚧
Please note that this study talks about bugs of all kinds. Not all bugs are vulnerabilities.

The Linux Kernel Isn't Perfect

this is a white colored chart that shows the distribution of bugs (using colored bars) on the linux kernel across 10+ years, you should OCR this to understand the stats
Source: Jenny Guanni Qu via Pebblebed

Jenny Guanni Qu, a researcher at Pebblebed, analyzed 125,183 bugs from 20 years of Linux kernel development history (on Git). The findings show that the average bug takes 2.1 years to find. The longest-lived bug, a buffer overflow in networking code, went unnoticed for 20.7 years!

The research was carried out by relying on the Fixes: tag that is used in kernel development. Basically, when a commit fixes a bug, it includes a tag pointing to the commit that introduced the bug.

Jenny wrote a tool that extracted these tags from the kernel's git history going back to 2005. The tool finds all fixing commits, extracts the referenced commit hash, pulls dates from both commits, and calculates the time frame.

Example of how the Fixes: tag is used on the left, the dataset parameters used by Jenny on the right.

As for the dataset, it includes over 125k records from Linux 6.19-rc3, covering bugs from April 2005 to January 2026. Out of these, 119,449 were unique fixing commits from 9,159 different authors, and only 158 bugs had CVE IDs assigned.

Plus, she found out that different parts of the kernel show significant variation in how long bugs remain hidden. CAN bus drivers have the longest average at 4.2 years, followed by SCTP networking at 4.0 years. GPU bugs get caught fastest at 1.4 years, and BPF bugs are found within 1.1 years.

The research also found that incomplete fixes are common. Someone notices undefined behavior and ships a fix, but the fix does not fully address the problem. In one case, a 2024 fix for netfilter set field validation was incomplete, and a security researcher found a bypass a year later.

Jenny's research goes much deeper than what I covered here. She has also developed an AI model called VulnBERT that predicts whether a commit introduces a vulnerability. The detailed blog post linked above includes elaborate technical explanations on that; it is a must-read!

Suggested Read 📖: The First Rust CVE in Linux Kernel

The First Rust CVE in Linux Kernel Only Makes Your System Crash
Greg Kroah-Hartman announced this alongside 150+ C code vulnerabilities that were addressed.
It's FOSSSourav Rudra
News
About the author
Sourav Rudra

Sourav Rudra

A nerd with a passion for open source software, custom PC builds, motorsports, and exploring the endless possibilities of this world.

Read next

Bose SoundTouch End of Life Gets Less Painful With Public API Release

Fedora 44 Will Be the First Distro to Adopt KDE's Plasma Login Manager

Debian's Data Protection Team is No More, Maybe You Can Help?

An X11 Thing! Your Favorite Middle-Click Paste is Likely to be Disabled in Future GNOME Releases

5 Linux Resolutions to Level Up Your Skills in 2026

Become a Better Linux User

With the FOSS Weekly Newsletter, you learn useful Linux tips, discover applications, explore new distros and stay updated with the latest from Linux world

itsfoss happy penguin

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to It's FOSS.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.