Speakers
Description
Since the Linux kernel project became a CVE Numbering Authority (CNA) in February 2024, organizations maintaining custom kernels have faced a flood of CVE disclosures.
We present empirical findings, lessons learned, and the key challenges that the kernel team responsible for Amazon Web Services fleet infrastructure encountered over the following two years while handling the steady flow of kernel CVEs.
We summarize our approach to assessing kernel CVEs in a warehouse-scale environment, pruning our code base to reduce the attack surface, along with quantitative results from field data. Specifically, we examine
- how NVD/CVSS scores and third-party assessments correlate with our final in-house ratings;
- how community guidance, including stable tree tracking and domain-specific risk assessment, measurably improved our development velocity, kernel maintenance, and kernel adoption strategy; and
- how backporting practices introduce regressions and compound risk.
We then present data on patching velocity and CVE-related trends across LTS versions. Although our data comes from a single environment, we believe these findings generalize to any organization that maintains in-house or custom kernels.
We will close with an open discussion on emerging developments (including where AI-assisted tooling fits into the CVE triage and patching pipeline) and invite attendees to challenge, extend, or contradict our findings with their own data.