Linux Kernel Recency Matters, CVE Severity Doesn't, and History Fades
For Linux kernel developers and security researchers, the study reveals that patching priority is driven by kernel recency rather than severity, highlighting a gap in vulnerability management.
The paper analyzes Linux kernel CVEs and finds that severity metrics have negligible association with patch latency, while kernel recency is a reasonable predictor; newer kernels are fixed sooner, and older ones retain unresolved CVEs.
In 2024, the Linux kernel became its own Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA), formalizing how kernel vulnerabilities are identified and tracked. We analyze the anatomy and dynamics of kernel CVEs using metadata, associated commits, and patch latency to understand what drives patching. Results show that severity and Common Vulnerability Scoring System (CVSS) metrics have a negligible association with patch latency, whereas kernel recency is a reasonable predictor in survival models. Kernel developers fix newer kernels sooner, while older ones retain unresolved CVEs. Commits introducing vulnerabilities are typically broader and more complex than their fixes, though often only approximate reconstructions of development history. The Linux kernel remains a unique open-source project -- its CVE process is no exception.