There are bugs in your kernel right now that won't be found for years. I know because I analyzed 125,183 of them, every bug with a traceable Fixes: tag in the Linux kernel's 20-year git history. The average kernel bug lives 2.1 years before discovery. But some subsystems are far worse: CAN bus drivers average 4.2 years, SCTP networking 4.0 years. The longest-lived bug in my dataset, a buffer overflow in ethtool, sat in the kernel for 20.7 years. The one which I'll dissect in detail is refcount leak in netfilter, and it lasted 19 years. I built a tool that catches 92% of historical bugs in a held-out test set at commit time. Here's what I learned. Key findings at a glance 125,183 Bug-fix pairs with traceable Fixes: tags 123,696 Valid records after filtering (0 < lifetime < 27 years) 2.1 years Average time a bug hides before discovery 20.7 years Longest-lived bug (ethtool buffer overflow) 0% → 69% Bugs found within 1 year (2010 vs 2022) 92.2% Recall of VulnBERT on held-out 2024 test set 1.2% False positive rate (vs 48% for vanilla CodeBERT) The initial discovery I started by mining the most recent 10,000 commits with Fixes: tags from the Linux kernel. After filtering out invalid references (commits that pointed to hashes outside the repo, malformed tags, or merge commits), I had 9,876 valid vulnerability records. For the lifetime analysis, I excluded 27 same-day fixes (bugs introduced and fixed within hours), leaving 9,849 bugs with meaningful lifetimes. The results were striking: Metric Value Bugs analyzed 9,876 Average lifetime 2.8 years Median lifetime 1.0 year Maximum 20.7 years Almost 20% of bugs had been hiding for 5+ years. The networking subsystem looked particularly bad at 5.1 years average. I found a refcount leak in netfilter that had been in the kernel for 19 years. Initial findings: Half of bugs found within a year, but 20% hide for 5+ years. But something nagged at me: my dataset only contained fixes from 2025. Was I seeing the full picture, or just the ...
First seen: 2026-01-08 02:46
Last seen: 2026-01-08 21:49