This study addresses the widespread security risks in SOHO devices stemming from outdated Linux kernels, whose real-world impact and update barriers in highly customized environments remain poorly understood. The authors propose a high-precision template-matching method to detect genuine kernel vulnerabilities within GPL-released source code from 306 devices and, for the first time, conduct a large-scale supply chain traceability analysis. Their investigation reveals a pervasive “kernel lock-in” phenomenon caused by SoC vendors’ SDKs, which propagates vulnerability debt downstream. All five major SoC vendors examined rely on kernel SDKs that have been end-of-life for over a year. Regulatory compliance proves insufficient to drive updates; only vendors actively collaborating with the open-source community have achieved meaningful mitigation, underscoring the critical role of community governance in enabling effective kernel upgrades.

Small Office/Home Office (SOHO) devices are widely popular, yet often attacked due to security vulnerabilities in their firmware, affecting thousands of devices. These security vulnerabilities often stem from outdated Linux kernel versions included in SOHO device firmware. Naturally, prior work audited the extent and impact of this issue by simple Linux version extraction and version number based vulnerability mapping. However, it is unclear how many of these anticipated vulnerabilities actually exist in the heavily customized SOHO kernels and if there are any barriers towards updating Linux kernels in SOHO firmwares. To address this gap, we uncover actual kernel-related vulnerabilities found in 306 SOHO devices using a high-precision template-based CVE detection mechanism on GPL source releases of more than 900 firmwares from these devices. Next, as a first, we traced the supply chain of these vulnerable SOHO devices at scale and identify kernel lock-in as a significant security issue -- SOHO vendors are effectively locked to specific (often older) kernel versions due to the system-on-chip (SoC) SDKs they use. This kernel lock-in produces a vulnerability debt that is inherited along the supply chain from SoC vendor to firmware creators (ODM/OEM) to router/IP-camera vendor and ultimately borne by end users. All five SoC vendors in our dataset had used SDKs with Linux kernels that had reached EoL more than a year before their usage in a SOHO device. Finally, we explore the mitigation-potential of individual, regulatory and community governance by analyzing social media posts, regulations and community efforts. Our results show that regulation compliance is insufficient and only SoC vendors who engage with communities for kernel upgradation offered a viable path towards mitigation. The data and code for this work is available at https://doi.org/10.5281/zenodo.20433799