TL;DR
The analysis of Linux kernel bugs shows that some bugs remain undiscovered for over 20 years, with an average lifespan of 2.1 years. The study examined 125,183 bug-fix pairs and found that certain subsystems have longer bug lifetimes. A tool developed for the research identified 92% of historical bugs, and findings indicate that bug discovery has improved over time.
Key Points
Highlight key points with color coding based on sentiment (positive, neutral, negative).Linux kernel bugs remain undiscovered for an average of 2.1 years, with some persisting for more than two decades.
The longest-lived bug identified was a buffer overflow in ethtool that remained in the Linux kernel for 20.7 years.
Bug discovery has accelerated over time, with 69% of bugs introduced in 2022 being found within one year.
The study reports that VulnBERT identified 92.2% of historical bug-introducing commits while maintaining a low false positive rate of 1.2%.
An initial dataset limited to 2025 fixes showed a higher average bug lifetime of 2.8 years due to survivorship bias.
Kernel bugs in the Linux kernel often persist far longer than many developers expect. A recent study analyzing 125,183 bug-fix pairs across 20 years of Linux kernel git history found that bugs remain undiscovered for an average of 2.1 years. While many issues are detected relatively quickly, a significant long tail remains, with some bugs surviving for more than 20 years before being fixed.
The analysis shows wide variation across subsystems. CAN bus drivers and SCTP networking exhibit some of the longest average bug lifetimes, at 4.2 and 4.0 years respectively. Networking-related code in general tends to harbor bugs longer than other areas, while GPU and BPF subsystems see much faster detection. The longest-lived bug identified in the dataset was a buffer overflow in ethtool that remained in the kernel for 20.7 years.
Bug detection has improved over time, but unevenly. In 2010, none of the bugs introduced that year were found within a year of introduction. By 2022, 69% of new bugs were identified within their first year. This improvement aligns with the broader adoption of kernel fuzzing, sanitizers, and more rigorous review processes. However, the study cautions that recent data is partially right-censored, meaning newer bugs have not yet had time to exhibit long lifetimes.
The research also highlights a persistent backlog of long-lived bugs. Among bugs fixed in 2024 and 2025, 60% were introduced within the previous two years, but 18% dated back five to ten years, and 6.5% were more than a decade old. This indicates that while new bugs are being caught faster, older issues continue to surface slowly.
Certain bug types are especially difficult to uncover. Race conditions had the longest average lifetime at 5.1 years, followed by integer overflows and use-after-free errors. These bugs are often nondeterministic or require specific timing, memory pressure, or workload conditions, making them hard to reproduce through convenutional testing.
To address these challenges, the researchers developed VulnBERT, a machine learning–based system designed to identify bug-introducing commits at commit time. VulnBERT combines neural code embeddings with handcrafted, domain-specific features and achieved a recall of 92.2% on a held-out 2024 test set, with a false positive rate of 1.2% and an F1 score of 95.4%. The approach aims to reduce the time bugs remain in production by flagging high-risk commits before they are merged.
The findings suggest that Linux kernel reliability has improved, but not uniformly. Faster detection of new bugs coexists with a substantial backlog of long-lived issues, particularly in complex and less frequently exercised subsystems. The study concludes that automated analysis tools, combined with fuzzing and human review, are increasingly necessary to reduce the window in which kernel bugs can affect systems at scale.
Key Numbers
Present key numerics and statistics in a minimalist format.The average time a Linux kernel bug remains undiscovered across the full dataset.
The lifetime of the longest-lived Linux kernel bug identified in the study.
The average bug lifetime in CAN bus driver subsystems.
The average bug lifetime in SCTP networking subsystems.
The recall achieved by the bug detection tool on historical kernel bugs.
The percentage of kernel bugs introduced in 2010 that were found within one year.
The percentage of kernel bugs introduced in 2022 that were found within one year.
The average bug lifetime measured in the 2025-only dataset.
The percentage of kernel bugs that remained undiscovered for five years or more.
The percentage of kernel bugs that remained undiscovered for ten years or more.
The average discovery time for race condition bugs in the Linux kernel.
The recall rate achieved by VulnBERT on a held-out 2024 temporal test set.
The false positive rate achieved by VulnBERT on a held-out 2024 temporal test set.
Stakeholder Relationships
An interactive diagram mapping entities directly or indirectly involved in this news. Drag nodes to rearrange them and see relationship details.Timeline of Events
Timeline of key events and milestones.The Linux kernel migrated to git, enabling long-term tracking of bug-introducing commits and their fixes via commit metadata such as Fixes tags.
A refcount leak was introduced in the netfilter subsystem, later identified as one of the longest-lived bugs in the dataset.
For bugs introduced in 2010, none were discovered and fixed within one year, reflecting limited detection tooling at the time.
Syzkaller, a coverage-guided kernel fuzzer, was released and later became a major driver of faster bug discovery.
By 2018, 54% of newly introduced kernel bugs were found within one year, indicating improved detection capabilities.
Support for concatenated netfilter set fields was added, later contributing to validation and security issues.
For bugs introduced in 2022, 69% were discovered within one year, marking a significant improvement over earlier periods.
A fix addressing undefined behavior in netfilter set field validation was merged, though it later proved incomplete.
A security researcher identified remaining code paths that bypassed the 2024 validation fix.
The long-lived netfilter refcount leak introduced in 2006 was finally fixed after being reproducible under specific conditions.
During this period, most fixes addressed recent bugs, but a notable share targeted issues introduced five to ten or more years earlier.
Researchers completed mining of all Linux kernel Fixes tags since 2005, producing a dataset of over 125,000 bug-fix pairs.
VulnBERT achieved 92.2% recall with a 1.2% false positive rate on a held-out 2024 test set.
Additional Resources
Enjoyed it?
Get weekly updates delivered straight to your inbox, it only takes 3 seconds!Subscribe to our weekly newsletter DevOpsLinks to receive similar updates for free!
Give a Pawfive to this post!
Share with your friends and followers
Start writing about what excites you in tech — connect with developers, grow your voice, and get rewarded.
Join other developers and claim your FAUN.dev() account now!
FAUN.dev()
FAUN.dev() is a developer-first platform built with a simple goal: help engineers stay sharp without wasting their time.
DevOpsLinks #DevOps
FAUN.dev()
@devopslinks
Featured Course(s)
Observability with Prometheus and Grafana
A Complete Hands-On Guide to Operational Clarity in Cloud-Native Systems
Cloud-Native Microservices With Kubernetes - 2nd Edition
A Comprehensive Guide to Building, Scaling, Deploying, Observing, and Managing Highly-Available Microservices in Kubernetes
