A new analysis of 20 years of Linux kernel development reveals that bugs often remain undetected for years, with an average lifespan of 2.1 years before discovery. The research, conducted by Pebblebed's Jenny Guanni Qu, highlights variations across kernel components and the prevalence of incomplete fixes. Some vulnerabilities persisted for over two decades.
The Linux kernel, a cornerstone of open-source operating systems, is not immune to persistent bugs, according to a detailed study published on January 8, 2026. Jenny Guanni Qu, a researcher at Pebblebed, examined 125,183 bugs spanning from April 2005 to January 2026, using data from Linux kernel version 6.19-rc3.
Her methodology relied on the 'Fixes:' tag in git commits, which links fixes to the original introducing commits. A custom tool extracted these tags, calculating bug lifespans based on commit dates. Of the records, 119,449 were unique fixes from 9,159 authors, with only 158 assigned CVE IDs.
Key findings include an average bug detection time of 2.1 years. The longest undetected issue—a buffer overflow in networking code—lasted 20.7 years. Component variations are stark: CAN bus drivers averaged 4.2 years, SCTP networking 4.0 years, while GPU bugs were caught in 1.4 years and BPF bugs in 1.1 years.
The study also notes common incomplete fixes. For instance, a 2024 netfilter set field validation patch was bypassed a year later by a security researcher. This underscores ongoing challenges despite progress, such as the recent first Rust CVE amid 159 C-code CVEs on the same day.
Qu further developed VulnBERT, an AI model to predict vulnerability-introducing commits, offering potential for earlier detection in kernel development.