UMD Study Finds Critical Cloud Security Patches Often Never Reach Their Destination

Published June 8, 2026

A software patch may be available, but that doesn't mean it's protecting the systems that need it.

A new study from the University of Maryland and Google Research reveals that critical security updates often become trapped in the software supply chains that power modern cloud computing, leaving known vulnerabilities exposed for weeks—or even permanently.

The research team analyzed more than 750,000 software container images—the standardized digital packages used to deploy modern applications—over six years to understand how security fixes move through the cloud ecosystem. Their findings challenge a common assumption that patches automatically flow from software vendors to the applications built on top of their products.

“Many people assume that once a vulnerability is patched, the problem is solved,” said Yonghwi Kwon, an assistant professor of electrical and computer engineering at UMD. “Our research shows that getting that patch to the systems that need it is often the harder problem."

The study was led by Simge Tekin, a third-year doctoral student in computer science at UMD. Her research supervisors, Kwon and Tudor Dumitraș, served as co-authors on the paper. Both Dumitraș, an associate professor of electrical and computer engineering, and Kwon are core members of the Maryland Cybersecurity Center and hold appointments in the University of Maryland Institute for Advanced Computer Studies (UMIACS).

Their paper, “Death Is Not the End: A Longitudinal Study on the Impact of Automatic Updates on Container Vulnerability Lifespans,” was recently presented at the IEEE Symposium on Security and Privacy (S&P), one of the field's premier cybersecurity conferences.

To make software easier to build and deploy, developers increasingly rely on containers—prepackaged bundles of software that serve as the foundation for cloud applications. These containers are built in layers, with applications sitting on top of software components maintained by other organizations. The system is designed so that security updates released for foundational software automatically flow downstream to protect applications that depend on them.

The researchers found that the process often breaks down.

“These delays happen even when automated patching is working as intended,” Tekin said. “They arise from the design of containerized software itself, where security fixes have to move through layers of dependent container images. By identifying where patch propagation breaks down, we can help developers reduce vulnerability exposure and better secure their software supply chains.”

Their analysis showed that 78% of patchable vulnerabilities remained exposed for more than 30 days, exceeding the remediation window commonly recommended by federal cybersecurity agencies. In many cases, fixes were available but failed to propagate through the software supply chain.

The study identified several reasons for these delays. Foundational software layers can quietly reach an unsupported "end-of-life" state, where maintainers stop issuing security updates without clear signals to downstream users. Developers also frequently rely on version labels that suggest ongoing support but provide little insight into whether software is actively maintained. And when vulnerabilities emerge, responsibility for fixing them is often spread across multiple organizations, making accountability difficult to establish.

Researchers found that abandoned upstream layers accounted for 11% of permanently unresolved vulnerabilities. In more complex software dependency chains, that figure rose to 23%.

"When developers realize they aren't receiving critical updates, they often struggle to determine who is responsible for fixing the problem," Kwon said. "The ecosystem lacks visibility into where the update pipeline has broken down."

To address the issue, the team introduced the concept of lineage, which creates a cryptographically verifiable record of a container's ancestry and maintenance history. The approach allows developers to identify software foundations that remain connected to active update channels and avoid dependencies that have effectively been abandoned.

“Our approach essentially builds the missing delivery pipeline,” Kwon said. “Before this, the ecosystem was like a hospital that had the right medicine in the pharmacy, but lacked any functional way to get it up to the patients’ rooms.”

The findings have growing implications for critical infrastructure and other sectors that increasingly depend on cloud technologies. From power grids and water systems to government services and businesses, organizations rely on software that must be updated quickly as new vulnerabilities are discovered. At the same time, advances in artificial intelligence are helping attackers identify and exploit newly disclosed weaknesses faster than ever, increasing the risks associated with delayed patching.

"Understanding the state of security in our critical infrastructure is the first step in defending it," Kwon said.

The research team also included Sungsu Kwag, a third-year doctoral student in electrical and computer engineering, and UMD alumnus Octavian Suciu Ph.D. ’21, now a researcher at Google Research. After years of large-scale data collection and analysis, the team's selection for presentation at S&P highlights both the significance of the findings and the potential of the lineage approach to strengthen software security practices across the cloud computing industry.

—Story by Melissa Brachfeld, UMIACS communications group