This study addresses the long-overlooked systemic risk of Incomplete Security Patches (ISPs) in the Linux kernel. To systematically characterize ISPs, we construct the first open-source dataset comprising 217 real-world ISP instances spanning 15 years, enabling rigorous patch comparison, version evolution analysis, and root-cause classification. Our analysis identifies four dominant ISP patterns—e.g., privilege bypass, scope omission, and context insufficiency—and uncovers underlying causes, including ambiguous patch scope definition and inadequate multi-path coverage. Building on these insights, we propose a lightweight detection methodology grounded in semantic divergence and control-flow deviation analysis. This work establishes the first empirically validated theoretical framework and reproducible methodology for automated ISP identification, significantly enhancing the reliability and efficiency of kernel security maintenance.

Security bugs in the Linux kernel emerge endlessly and have attracted much attention. However, fixing security bugs in the Linux kernel could be incomplete due to human mistakes. Specifically, an incomplete fix fails to repair all the original security defects in the software, fails to properly repair the original security defects, or introduces new ones. In this paper, we study the fixes of incomplete security bugs in the Linux kernel for the first time, and reveal their characteristics, root causes, as well as detection. We first construct a dataset of incomplete security bug fixes in the Linux kernel and answer the following three questions. What are the characteristics of incomplete security bug fixes in the Linux kernel? What are the root causes behind them? How should they be detected to reduce security risks? We then have the three main insights in the following. (*Due to the notification of arXiv "The Abstract field cannot be longer than 1,920 characters", the appeared Abstract is shortened. For the full Abstract, please download the Article.)