- June 10, 2026
- By Melissa Brachfeld
A software patch may be available, but that doesn't mean it's protecting the systems that need it.
A new study from the University of Maryland and Google Research reveals that critical security updates often become trapped in the software supply chains that power modern cloud computing, leaving known vulnerabilities exposed for weeks—or even permanently.
The research team analyzed more than 750,000 software container images—the standardized digital packages used to deploy modern applications—over six years to understand how security fixes move through the cloud ecosystem. Its findings challenge a common assumption that patches automatically flow from software vendors to the applications built on top of their products.
The study was led by Simge Tekin, a third-year doctoral student in computer science at UMD. Assistant Professor Yonghwi Kwon and Associate Professor Tudor Dumitras in the Department of Electrical and Computer Engineering served as co-authors on the paper. Both are core members of the Maryland Cybersecurity Center and hold appointments in the University of Maryland Institute for Advanced Computer Studies (UMIACS).
The researchers’ analysis showed that 78% of patchable vulnerabilities remained exposed for more than 30 days, exceeding the remediation window commonly recommended by federal cybersecurity agencies. In many cases, fixes were available but failed to propagate through the software supply chain.
The study identified several reasons for these delays. Foundational software layers can quietly reach an unsupported "end-of-life" state, where maintainers stop issuing security updates without clear signals to downstream users. Developers also frequently rely on version labels that suggest ongoing support but provide little insight into whether software is actively maintained. And when vulnerabilities emerge, responsibility for fixing them is often spread across multiple organizations, making accountability difficult to establish.
To address the issue, the team introduced the concept of lineage, which creates a cryptographically verifiable record of a container's ancestry and maintenance history. The approach allows developers to identify software foundations that remain connected to active update channels and avoid dependencies that have effectively been abandoned.
The research team also included Sungsu Kwag, a third-year doctoral student in electrical and computer engineering, and Octavian Suciu Ph.D. ’21, now at Google Research.