January 7, 2026

20-Year Bugs, 24-Hour Comment War

Article URL →HN comments →

Kernel bugs hide for 2 years on average. Some hide for 20

20-year bugs ignite a brawl: blame C, shrink the system, or trust open code

TLDR: A deep dive into 125k Linux fixes finds bugs hide for 2.1 years on average, with one lasting 20.7, and an AI tool catches most at commit time. Comments clash over blame—unsafe C, outsized design, or closed code—while jokes fly, highlighting how quietly core systems can stay vulnerable.

The study says the scary part out loud: some bugs in the Linux “kernel” (the core of your operating system) hid for years—one for 20.7—and on average they lurk for about 2.1 years. There’s a shiny new AI tool that catches most problems right when code is written, and yes, the trends show we’re fixing faster. But the comments? Absolute cage match. Security doomers chant “panic first” energy, warning that a single hole can own your whole machine, pushing a redesign away from big, old-school kernels to tiny pieces that fail less, name-dropping seL4 and Genode like celeb cameos.

Then the “it’s the language, stupid” crowd storms in: if C is the tool, memory bugs are the nails. One commenter says the stats scream language limits and begs to plug this tool straight into the workflow. Open-source defenders go for the mic drop: “Imagine if no one outside a select circle ever saw the code.” Translation: transparency saves us. Meanwhile, the peanut gallery keeps it spicy—“Firefox bugs stay open that long,” one quips—while another gripes the commit links aren’t clickable (because of course). Bonus context for non-nerds: CAN (car networks) and SCTP (a network protocol) are where bugs linger longest. The drama is real, but so is the progress: from 0% found within a year in 2010 to 69% in 2022. Internet, resume fighting.

Key Points

  • Analysis of 125,183 kernel bug-fix pairs via “Fixes:” tags across the Linux kernel’s 20-year git history found an average bug lifetime of 2.1 years.
  • The longest-lived bug was an ethtool buffer overflow lasting 20.7 years; a netfilter refcount leak lasted 19 years.
  • Subsystems like CAN bus drivers (4.2 years) and SCTP networking (4.0 years) have longer average bug lifetimes.
  • Full-history analysis shows improvement: 57% of bugs are found within a year, and newer bugs are fixed faster (e.g., 2022 average 0.8 years, 69% <1 year).
  • VulnBERT detects historical bugs at commit time with 92.2% recall and a 1.2% false positive rate, outperforming a vanilla CodeBERT baseline.

Hottest takes

"One bug is all it takes to compromise the entire system." — snvzz
"Imagine if no one outside a select circle ever got to examine the code." — esseph
"From the stats we see that most bugs effectively come from the limitations of the language." — eulgro

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.