Published the results of a study of the time to detect and fix errors in the Linux kernel code. The data is obtained from an analysis of 125 thousand bugs, marked in the Git repository with the “Fixes:” tag, referring to the commit in which the bug occurred. The average time to detect bugs in the kernel was 2.1 years. If we consider only bugs fixed in 2025, this figure was 2.8 years.
30% of bugs were fixed by the same developers who introduced the bugs. 56.9% of errors are resolved within a year. 13.5% of errors remained undetected for more than 5 years (if we consider only errors corrected in 2025 – 19.4%). Due to the skewed distribution, the median lifetime of a bug in the kernel code was 8 months for the sample from 2005 and 1 year for bugs fixed in 2025.
The longest remaining bug in the code was a buffer overflow in ethtool, which was fixed after 20.7 years.
The dynamics of error detection differ markedly from the average for some subsystems, for example, in the CAN bus driver and the SCTP stack, identifying problems on average takes about 4 years, in
IPv4 stack – 3.6 years, USB and TTY – 3.5, Netfilter and network stack – 2.9, VM – 1.8, GPU – 1.4, BPF – 1.1 year.
Detection time correlates with error types: the average time to detect errors associated with race conditions was 5.1 years, integer overflow – 3.9, memory access after free – 3.2, Buffer overflow and memory leak – 3.1, reference counting – 2.8, null pointer dereferencing and deadlocks – 2.2 years.
The statistics obtained also show the impact of the introduction of new tools for automated error detection, static analysis and code testing, such as Syzkaller, KASAN, KMSAN and KCSAN. For example, in 2010 there were no fixes for bugs found during the year. While in 2014, 31% of errors were detected during the year, in 2018 – 54%, and in 2022 – 69% of errors.
The obtained statistics were used to create a machine learning model VulnBERT, which allows predicting the presence of vulnerabilities in commits. When tested on commits for 2024, the error detection accuracy was 92.2% with a false positive rate of 1.2% (for comparison, the previously available CodeBERT model detected 89.2% of problems with a false positive rate of 48.1%).