The conclusion comes from Coverity, a code-analysis firm based in San Francisco founded by five Stanford researchers who started the examination in 2000 when they were part of the school's Computer Science Research Center.
Coverity discovered just 985 bugs in 5.7 million lines of code in Linux 2.6.9, which is the basis for most of the major current distributions of the open-source operating system. That works out to just 0.17 bugs per thousand lines of code, far under the average of 20 to 30 bugs per thousand estimated by Carnegie Mellon University's CyLab Sustainable Computing Consortium for commercial software.
"Our findings show that Linux contains an extremely low defect rate, and is evidence of the strong security of Linux," said Seth Hallem, chief executive officer of Coverity in a statement.
Of the nearly 1,000 bugs, 41 percent could cause a system crash, said Coverity, while more than a third could corrupt system memory or cause it to fail entirely. Not surprisingly, a majority of the flaws were found in device drivers, while just one in 100 was found in the core kernel services.
The top priority bugs uncovered by Coverity have already been fixed, said Andrew Morton, the lead Linux kernel maintainer, in an accompanying statement. "We appreciate Coverity's efforts to help us improve the security and stability of Linux," he added.
Coverity also said it would provide regular reports on its Linux bug analyses, and make a summary of the results available to the Linux community free of charge.
A brief summary of the bugs found so far is available on the Coverity site.