Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Graph of "critical" and "high" priority Linux kernel CVEs since 2010. Kernel release on the left side axis, older at the bottom. CVEs listed across the bottom axis. Each CVE has a bar running vertically ahove to indicate the duration of kernel releases the given flaw existed before it was fixed. The length of the bars is generally getting shorter, but many still reach all the way down into "before git history" times, showing the technical debt of the past.

Download link

Graph of "critical" and "high" priority Linux kernel CVEs since 2010. Kernel release on the left side axis, older at the bottom. CVEs listed across the bottom axis. Each CVE has a bar running vertically ahove to indicate the duration of kernel releases the given flaw existed before it was fixed. The length of the bars is generally getting shorter, but many still reach all the way down into "before git history" times, showing the technical debt of the past.
https://cdn.fosstodon.org/media_attachments/files/111/951/091/319/383/275/original/d540c9cd1f5580a4.png

Notices where this attachment appears

Embed this notice
Kees Cook :tux: (kees@fosstodon.org)'s status on Sunday, 18-Feb-2024 15:47:44 JST Kees Cook :tux:

Last time I did a Linux kernel security flaw lifetime analysis was back in 2021. It showed the average time between flaw introduction and fix was 5.5 years for 108 "high priority" CVEs:
https://outflux.net/slides/2021/lss/kspp.pdf
I refreshed my dataset today and was surprised to see that now with 103 more CVEs, it's still holding at 5.5 years. This actually means Linux is getting faster at finding issues, but the (diminishing) technical debt of the past is still dragging down the average.

In conversation about a year ago from fosstodon.org permalink