Blog / / 5 min read

Fixing the Linux Kernel: Upstream Memory-Safety Contributions

The same automated research pipeline that audits npm packages now reads kernel C — and has landed memory-safety fixes in the mainline Linux kernel, each maintainer-reviewed and shipping to stable. Here's what merged, and how.

Finding a bug is the easy half. The hard half — the half that actually proves a security pipeline works — is getting a maintainer to accept your fix into the code that ships to everyone.

Over the past few weeks, 0sec’s automated security research has done exactly that in the place where the bar is highest: the mainline Linux kernel. Not a fork, not a write-up, not a “potential issue” filed into a tracker. Real patches, reviewed by the subsystem maintainers, merged into Linus Torvalds’ tree (or accepted upstream and queued for it), and flowing out to the stable trees that distributions ship.

Every one carries the same line in its permanent git history: “Found by 0sec automated security-research tooling.”

What landed

SubsystemBug classStatusCommit
Bluetooth (LE Audio CIS)use-after-freemerged to mainline + stable (6.12.y, 6.6.y)bfea6091
TIPC (crypto)use-after-freemerged to mainlinebda33488
mac802154 (802.15.4 crypto)missing copy-on-writemerged to mainline84a04eb5
mlx5e (MACsec RX offload)use-after-freemerged to mainlinede74d8fd
xen-blkfront (block)split-request double completionmerged to mainline5d727203
NFC (digital layer)stack buffer overflowaccepted in the NFC maintainer tree, queued for mainline5cb0e4ac
NFC (LLCP)TLV integer underflow + OOB readaccepted in the NFC maintainer tree, queued for mainlineed85d4cb

Each links to the real commit — verifiable in the kernel’s own git, with our authorship attached.

How the pipeline gets there

The kernel work runs on the same principle as our package research: read the source, trace the data, prove the bug, then propose the minimal correct fix. The difference is the rigor the kernel community (rightly) demands before anything merges:

  1. Source analysis surfaces a candidate — an attacker-influenced length feeding a copy, a pointer used after a concurrent free, a crypto path missing a guard its sibling already has.
  2. Verification before sending. Every patch is generated byte-exact from a real tree, apply-checked, and compile-clean. Where a bug has a public reproducer, we confirm the fix against it — for the NFC overflow, that meant a #syz test run on syzbot’s reproducer, which came back Tested-by: syzbot before the patch ever reached a maintainer.
  3. Upstream review. Maintainers and reviewers — at Intel, Red Hat, and across the kernel community — reviewed the patches. The TIPC fix carries three independent Reviewed-by tags; the NFC and 802.15.4 fixes carry maintainer review from Intel.

Pipeline Verification Funnel

The TIPC one shows exactly how these get found: the encrypt path had already been fixed for a use-after-free during network-namespace teardown — but the decrypt twin was left unguarded. That’s incomplete-fix variant analysis: take a known, patched bug and ask whether its mirror image was missed. It was.

What this proves

Anyone can publish a “potential issue.” The bar that actually counts is the one almost no one clears: seven memory-safety fixes, across six kernel subsystems, merged into mainline Linux in a matter of weeks — each reviewed by the subsystem’s own maintainers, each riding out to the stable trees that ship on billions of devices.

That’s not “we found something.” It’s in the tree, with our name on it.