White paper: Vendor Kernels, Bugs and Stability

Ronnie Sahlberg, Jonathan Maple, and Jeremy Allison of CiQ have publisheda whitepaper looking at the security-relevant bug fixes applied (or notapplied) to the RHEL8.x kernel over time.

This means that over time, the security of the RHEL kernels getworse and worse as more issues are discovered in the upstream codeand are potentially exploitable but fewer and fewer of the fixesfor these known bugs are back-ported into RHEL kernels.

After reaching RHEL 8.7, the theory is that the kernel has beenstabilized, with a corresponding improvement in security. Howeverwe still have an influx of newly discovered bugs in the upstreamkernel affecting RHEL 8.7 that are not addressed. Each minorversion of upstream is released on an approximately quarterly basisand we can see that the influx of new bugs that are unaddressed inRHEL is growing. The number of known issues in these kernelsincreases by approximately 250 new bugs per quarter or more.