This study investigates key factors influencing the delay in fixing vulnerabilities in the Linux kernel, with a focus on the roles of Common Vulnerability Scoring System (CVSS) severity ratings and the age of kernel versions. Leveraging survival analysis, CVE metadata mining, Git commit tracing, and patch delay statistics, the research systematically examines the dynamics of vulnerability introduction and remediation. The findings reveal that kernel version recency serves as a strong predictor of patch latency: developers prioritize fixing vulnerabilities in newer kernel versions, while older versions often retain unpatched CVEs for extended periods. In contrast, CVSS severity scores exhibit little to no correlation with repair timelines. These results highlight the distinctive nature of Linux kernel vulnerability management and challenge conventional severity-based prioritization strategies commonly adopted in software maintenance practices.

In 2024, the Linux kernel became its own Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA), formalizing how kernel vulnerabilities are identified and tracked. We analyze the anatomy and dynamics of kernel CVEs using metadata, associated commits, and patch latency to understand what drives patching. Results show that severity and Common Vulnerability Scoring System (CVSS) metrics have a negligible association with patch latency, whereas kernel recency is a reasonable predictor in survival models. Kernel developers fix newer kernels sooner, while older ones retain unresolved CVEs. Commits introducing vulnerabilities are typically broader and more complex than their fixes, though often only approximate reconstructions of development history. The Linux kernel remains a unique open-source project -- its CVE process is no exception.