Electrical Engineering and Computer Science Student Discovers Key Security Vulnerability in Commonly Used Operating System

Shivam Kumar and Endadul Hoque

Shivam Kumar, a first-year Ph.D. candidate in Electrical Engineering and Computer Science Professor Endadul Hoque’s research group, recently identified a security vulnerability in the Linux kernel, a key component of countless computing systems and the largest open-source project in existence.

For many people, the Linux kernel operates invisibly in the background. But its reach is enormous: servers, supercomputers, Android devices, embedded systems, and cloud infrastructure all run some variant of it. “From the servers to the cloud, Linux is the silent engine powering virtually the whole internet,” explains Professor Hoque.

Kumar is a member of the SYNE Lab (SecuritY of Networked systEms), led by Hoque. The SYNE Lab works to reduce security vulnerabilities in computer software, developing tools that can automatically detect and repair potential vulnerabilities.

Kumar’s research focuses on a specific component of the Linux kernel: Non-Volatile Memory Express over TCP (NVMe/TCP), a communication protocol that enables data transfer between computing servers and remote storage systems over standard Ethernet networks. Widely adopted in modern data centers, the technology helps boost application performance, particularly in AI training workloads and shared storage environments.

“In a desktop or laptop, the disk where data is stored is physically inside the machine,” Kumar explains. “In contrast, computing servers often rely on storage located elsewhere—for example, in a remote storage server that houses a large pool of high-performance NVMe solid-state drives (SSDs). NVMe/TCP is one of the protocols that allows computing servers to access these remote storage pools over a network while delivering performance that is close to having the drives locally attached.”

The SYNE Lab team is working on building an automated tool that will systematically find vulnerabilities in operating systems. In their preliminary testing, Kumar found a vulnerability that bad actors could easily exploit. By sending malicious input from a client machine, an attacker could crash a remote storage server, posing a serious threat to data centers and the infrastructure they support. Kumar discovered a missing input validation: the kernel code was not properly checking incoming data before processing it.

After discovering the vulnerability, Kumar and Hoque contacted the Linux developer team and spent several weeks working back and forth to reproduce the issue and create a fix. The SYNE Lab developed both a proof-of-concept to demonstrate the vulnerability and the patch itself.

Kumar originally came to Syracuse University as a master’s student, but after taking one of Hoque’s courses, his interest in operating systems grew. In 2025, he was accepted into the Computer Science Ph.D. program and is now a teaching assistant for CSE 486: Design of Operating Systems—the same topic that sparked his interest in pursuing his Ph.D.

“A student from ECS contributing to the security of the Linux kernel is a landmark achievement for the department,” says Hoque. Kumar’s patch has now been merged into the main Linux kernel codebase, where it will be pushed to all developers building on the platform going forward.

Back to News