5–7 Oct 2026
Europe/Prague timezone

Kernel CVEs at AWS Scale: Two Years of Empirical Findings

Not scheduled
45m
Kernel Summit Track Kernel Summit Track

Speakers

Mr Dylan Johnson (Amazon Web Services)Mr Justinien Bouron (Amazon Web Services)

Description

Since the Linux kernel project became a CVE Numbering Authority (CNA) in February 2024, organizations maintaining custom kernels have faced a flood of CVE disclosures.

We present empirical findings, lessons learned, and the key challenges that the kernel team responsible for Amazon Web Services fleet infrastructure encountered over the following two years while handling the steady flow of kernel CVEs.

We summarize our approach to assessing kernel CVEs in a warehouse-scale environment, pruning our code base to reduce the attack surface, along with quantitative results from field data. Specifically, we examine

  • how NVD/CVSS scores and third-party assessments correlate with our final in-house ratings;
  • how community guidance, including stable tree tracking and domain-specific risk assessment, measurably improved our development velocity, kernel maintenance, and kernel adoption strategy; and
  • how backporting practices introduce regressions and compound risk.

We then present data on patching velocity and CVE-related trends across LTS versions. Although our data comes from a single environment, we believe these findings generalize to any organization that maintains in-house or custom kernels.

We will close with an open discussion on emerging developments (including where AI-assisted tooling fits into the CVE triage and patching pipeline) and invite attendees to challenge, extend, or contradict our findings with their own data.

Authors

Mr Dylan Johnson (Amazon Web Services) Mr Justinien Bouron (Amazon Web Services) Mrs Alice Zielman (Amazon Web Services) Dr Gunnar Kudrjavets (Amazon Web Services)

Presentation materials

There are no materials yet.