A security researcher has found that bugs in the Linux kernel often remain undetected for more than two years on average, with some persisting for over two decades. By analyzing 20 years of kernel development, Jenny Guanni Qu uncovered how these flaws quietly affect cloud systems, enterprises, and billions of devices. Her work highlights the challenges of maintaining secure open-source software.
Linux security developer Jenny Guanni Qu has revealed that vulnerabilities in the Linux kernel can lurk undetected for extended periods, posing significant risks to widespread systems. In a comprehensive study, she examined two decades of Linux kernel development, reviewing 125,000 bug-fix commits. The analysis showed that the average bug stays hidden for just over two years, though many endure far longer—some exceeding 20 years.
One striking example is a networking bug introduced in 2006 and only fixed in 2025, nearly 19 years later. This issue, a reference-count leak in the netfilter subsystem, stemmed from a commit intended to resolve a deadlock. "The irony: Commit d205dc40798d was itself a fix: '[NETFILTER]: ctnetlink: fix deadlock in table dumping'. Patrick McHardy was fixing a deadlock by removing a _put() call. In doing so, he introduced a refcount leak that would persist for 19 years," Qu explained. The bug caused slow memory leaks under specific conditions, allowing affected systems to seem stable for years before degrading under load.
Qu's research points to why such long-lived bugs are hard to detect. Older kernel sections, dating to the early 2000s, rarely see changes or reviews. Partial fixes often address symptoms without tackling root causes, letting exploits survive. Race conditions, reference-count errors, and memory lifecycle issues prove especially elusive.
Despite Linux's open-source model, which invites scrutiny, a backlog of ancient flaws remains. From an attacker's view, these bugs offer powerful vectors, affecting shared code across distributions. By the time a vulnerability earns a CVE, it may have been exploited for years.
To combat this, Qu developed VulnBERT, a machine-learning model that scans code changes for vulnerabilities. In tests, it detected over 90% of problematic commits with low false positives, including the 19-year-old bug. "VulnBERT is a triage tool, not a guarantee. It catches 92% of bugs with recognizable patterns. The remaining 8% and novel bug classes still need human review and fuzzing," she noted.
Newer kernels benefit from faster fixes, but ongoing discoveries in legacy code underscore the need for vigilant maintenance. Enterprises should prioritize kernel updates, as these flaws can enable full system compromises in advanced attacks.
