Linux Kernel Recency Matters, CVE Severity Doesn't, and History Fades

TL;DR

This paper investigates the factors influencing Linux kernel vulnerability patching, revealing that kernel recency affects patch timing more than CVE severity or CVSS scores, with newer kernels patched faster.

Contribution

It provides an empirical analysis showing kernel recency predicts patch latency better than severity metrics, highlighting the importance of development history in vulnerability management.

Findings

Kernel recency predicts patch latency effectively.

Severity and CVSS scores have little impact on patch timing.

Newer kernels are patched more quickly than older ones.

Abstract

In 2024, the Linux kernel became its own Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA), formalizing how kernel vulnerabilities are identified and tracked. We analyze the anatomy and dynamics of kernel CVEs using metadata, associated commits, and patch latency to understand what drives patching. Results show that severity and Common Vulnerability Scoring System (CVSS) metrics have a negligible association with patch latency, whereas kernel recency is a reasonable predictor in survival models. Kernel developers fix newer kernels sooner, while older ones retain unresolved CVEs. Commits introducing vulnerabilities are typically broader and more complex than their fixes, though often only approximate reconstructions of development history. The Linux kernel remains a unique open-source project -- its CVE process is no exception.