[temac]

There is even more depth to the alloca() fiasco than most people realize.

cppcheck could detect the bug without any hard setup effort (launching it in systemd codebase, with maybe an option to activate all checks, was enough) at least 2 years before it was revealed (probably more like at least 3 or 4, I don't remember the exact value). That's a fact easy to verify.

I suspect other tools could find it too, though I have not checked.

What that implies is more speculative, but there are some kind of "either or" situations that are extremely nasty. For example either RH (and all the other distro using it) did not analyse it, or they hid it for other reasons. The most reasonable hypothesis is that they just did not analyzed it. Which put them at least 15 years behind MS in some domains that were even more critical at the time (and still today) than 15 years before.