He told Linux.com that hardening the kernel is not enough, vendors have to enable the new features and take advantage of them and that was not happening.

While Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it.  He has noticed that aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable.

"People need to enable this stuff. I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel", he said.

"I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people.

"The good news is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."