In 2021, a significant vulnerability was uncovered in a system fundamental to modern computing. An attacker could manipulate the system to execute arbitrary code. This vulnerable code was nearly 54 years old, and notably, there was no patch available, nor was there any expectation of one being developed.
Fortunately, the system in question was Marvin Minsky’s 1967 implementation of a Universal Turing Machine. Despite its considerable theoretical significance in computer science, it had never been implemented in a physical computer. However, in the decade following Minsky's design, early versions of Unix and DOS emerged, and their descendants are still operational today. Some of these systems have housed bugs for years or even decades.
Here are 10 noteworthy bugs that, after lying dormant for a long time, took over a decade to be discovered and addressed, listed in order of how long they remained unaddressed.
Libpng Graphics Library Flaw
Age: 30 years
Date Introduced: 1995
Date Fixed: February 2026
Researchers uncovered a legacy flaw in the widely used libpng open-source library that had existed since its release over 30 years ago. This heap buffer overflow vulnerability (CVE-2026-25646) meant that applications using the flawed software would crash when presented with a maliciously constructed PNG raster image file. Although difficult to exploit, the vulnerability could lead to information disclosure or remote code execution risks.
The problematic png_set_quantize function, previously known as png_set_dither, is rarely utilized. This, combined with the difficulty of exploitation, results in a CVSS score of 8.3, categorizing it as a "high" rather than a "critical" risk. Nevertheless, many Linux distributions (including Debian, Red Hat, and Ubuntu), desktop applications, and some Java runtimes rely on vulnerable versions of the library and require patches.
PrintDemon
Age: 24 years
Date Introduced: 1996
Date Fixed: May 2020
Printers often pose challenges for IT departments due to the multitude of models, diverse vendors, and user expectations for easy plug-and-play functionality. Microsoft aimed to simplify printer driver installation in its early years, but a bug identified in 2020, dubbed PrintDemon, revealed that their efforts may have gone too far back in the '90s, leading to decades of issues.
The core of the vulnerability lies in three facts: non-administrative users can add printers to a Windows machine; the underlying mechanics allow printing to a file rather than a physical device; and crucial printing services on Windows operate with system privileges. This means that, if exploited correctly, one could create a “printer” driver capable of generating a file (even an executable) anywhere on the filesystem, including privileged directories. Several exploits have been developed to exploit these design flaws, including Stuxnet, with PrintDemon serving as a particularly notable example.
As Winsider described, “With very subtle file system modifications, you can achieve file copy/write behavior that is not attributable to any process, especially after a reboot… with a carefully crafted port name, you can imagine simply having the Spooler drop a [portable executable] file anywhere on disk for you.” This situation clearly spells trouble!
win32k.sys Vulnerabilities
Age: 23 years
Date Introduced: 1996
Date Fixed: 2019
Two significant vulnerabilities were discovered in the Win32 API of Microsoft Windows in 2019. The first, identified in April, was a Use-After-Free vulnerability, where coding errors allowed programs to access system memory that should have been protected. Security researchers found that malicious hackers were attempting to exploit it in the wild to gain control of computers. The second vulnerability, discovered in December, was an elevation-of-privilege issue within the OS's window switching functionality; this flaw was similarly uncovered during active attacks that simulated keystrokes, creating memory leaks.
The roots of both vulnerabilities trace back to the early days of Windows. As Boris Larin, a senior security researcher at Kaspersky, explained in 2019, “The problem originates from the time when WIN32K made its debut with Windows NT 4.0, when much of Win32’s graphics engine was moved from user level to kernel to boost performance.” Although these vulnerabilities have been patched, the decision made by Microsoft so long ago has had far-reaching consequences and will likely continue to do so, as Larin noted, “Throughout the years, the WIN32K component has been responsible for more than half of all kernel security vulnerabilities discovered in Windows.”
PuTTY Heap Overflow
Age: 20 years, 9 months
Date Introduced: January 1999
Date Fixed: October 2019
PuTTY is a free and open-source suite of tools that includes a serial console, a terminal emulator, and various network file transfer applications, all featuring built-in SSH and other encryption schemes. Originally released to bring Unix tools to Windows and Mac OS, PuTTY has since expanded its reach and is now widely used on Unix systems as well. However, a vulnerability lurked at its core: a heap overflow could be triggered by a too-short SSH key, potentially resulting in the crashing of PuTTY or even remote code execution.
This vulnerability was reported through HackerOne as part of a bug bounty program, earning the submitter a reward of $3,645 and gratitude from the PuTTY team, who acknowledged that the bug had been present since the very earliest versions of the source code back in 1999.
SIGRed DNS Vulnerability
Age: 17 years
Date Introduced: 2003
Date Fixed: 2020
DNS serves as a crucial backbone of the internet, enabling computers to resolve IP addresses associated with URLs. This hierarchical system sends requests up and down the chain to identify DNS servers that can respond to the question: “Where is this computer?” As a result, DNS has been integrated into all major operating systems.
In 2020, Microsoft disclosed a critical vulnerability in its version of DNS, which had been concealed in the code for 17 years. The vulnerability, dubbed SIGRed by its discoverers at Check Point, was a buffer overflow flaw in Windows DNS servers. It could be triggered by exploit code hidden within a DNS packet's signature. A malicious nameserver could respond with such packets, circumventing most security measures and potentially gaining remote access to Microsoft DNS servers. This attack could even be wormable, meaning it could spread autonomously without user intervention.
Python Tarfile Vulnerability Rises Again
Age: 15 years
Date Introduced: 2007
Date Fixed: September 2022
Cybersecurity company Trellix identified that CVE-2007-4559, a vulnerability affecting Python's tarfile module first recognized in 2007, continued to impact hundreds of thousands of repositories until at least September 2022.
While investigating an unrelated vulnerability, the Trellix Advanced Research Center stumbled upon a flaw in Python's tarfile module. "Initially, we thought we had found a new zero-day vulnerability. As we delved deeper, we realized this was actually CVE-2007-4559," noted Kasimir Schulz, a vulnerability researcher for Trellix's Threat Labs, on the firm’s blog.
According to NIST, CVE-2007-4559 is a directory traversal vulnerability found in the extract and extractall functions of the tarfile module. It allows user-assisted remote attackers to overwrite arbitrary files through a “..” sequence in filenames within a TAR archive.
Bad actors can create exploits with as few as six lines of code added to the tarfile module, which allows users to add a filter for parsing and modifying a file's metadata before it is included in the tar archive, Schulz explained. The vulnerability “is incredibly easy to exploit, requiring little to no knowledge about complicated security topics. Due to this fact and the prevalence of the vulnerability in the wild, Python’s tarfile module has become a significant supply chain issue threatening infrastructure globally.” Trellix has identified over 300,000 repositories affected by this vulnerability.
Trellix developed a scanning utility to identify the vulnerability and has patched numerous open-source repositories.
Linux SCSI Subsystem Bugs
Age: 15 years
Date Introduced: 2006
Date Fixed: March 2021
SCSI, a data transfer standard from the 1980s, continues to be used in specific contexts today. Linux maintains an extensive SCSI subsystem for those systems requiring it, as it was designed to be flexible and universal. These modules are available via automatic module loading, which allows the OS to fetch and install necessary system code when needed useful if you connect a SCSI drive to your Linux machine and want to avoid searching for supporting code.
Cybersecurity consultancy Grimm revealed a comprehensive analysis of several bugs in this Linux SCSI code in March 2021. One was a buffer overflow vulnerability that could enable a regular user to gain root privileges. Other issues included errors that allowed kernel information to leak into user space, which could be exploited to obtain privileged information or contribute to a DoS attack on the affected machine. Grimm traced these bugs back to 2006, highlighting a “lack of security-conscious programming practices” that were common at the time of this code's development.
Domain Time II Man-on-the-Side Attack
Age: 14 years
Date Introduced: 2007
Date Fixed: April 2021
When two computers on the same network cannot synchronize their time, the consequences can range from annoying to disastrous. This longstanding issue was addressed by Domain Time II, a closed-source application utilized on Windows, Linux, and Solaris.
However, Domain Time II has held a serious vulnerability for most of its existence. The program sends UDP queries to an update server run by Greyware Automation Products at set intervals or conditions specified by the user. If the server responds with a URL, Domain Time II executes a program with admin privileges to download and install an update from that URL.
The issue arises when a malicious actor responds to the query before Greyware’s server, allowing the attacker to send its own reply, prompting Domain Time II to download and install whatever malware they desire. This represents a true man-in-the-middle attack, where the attacker intercepts communications in both directions; however, this man-on-the-side attack can’t prevent replies to the target machine from getting through and must send its own reply more quickly.
Practically speaking, an attacker would need to control a computer on the target’s local network to execute this attack. Nevertheless, it represents a method for an attacker to escalate their intrusion into more secure and valuable machines within a local network. This vulnerability was identified by the security firm Grimm, which noted that the flaw was present in software versions dating back to at least 2007.
Critical Vulnerability in Redis In-Memory Store
Age: 13 years
Date Introduced: 2012
Date Fixed: October 2025
A vulnerability in the Redis in-memory store posed a critical risk for servers hosting the database. Identified as CVE-2025-49844 or RediShell, the vulnerability stemmed from a use-after-free memory corruption bug that has existed in the Redis code base for approximately 13 years, posing a risk of remote code execution.
While the flaw required authentication to exploit, it was estimated that 60,000 internet-exposed Redis instances were left vulnerable without authentication enabled, making these systems susceptible to attack. Researchers from Wiz found the flaw and demonstrated it at the Pwn2Own Berlin contest in May 2025, just weeks before its public disclosure in October 2025.
LionWiki Local File Inclusion
Age: 11 years, 11 months
Date Introduced: November 2008
Date Fixed: October 2020
LionWiki is a minimalist wiki engine programmed in PHP. Unlike many popular wiki engines, it does not use a database, relying instead on a file-based system. While this simplicity is a strength, it also allows for a significant vulnerability.
The files underlying a LionWiki instance are accessed via file and pathnames in the URL of corresponding pages. This means that a correctly crafted URL could enable traversal of the server's filesystem hosting the LionWiki instance. Although URL-filtering provisions are in place to block such attempts, as Infosec Institute Cyber Range Engineer June Werner discovered, these measures could be easily bypassed.
Werner noted that the vulnerability persisted despite earlier attempts to correct it. “Some mitigations were first implemented in July 2009, followed
