diff --git a/tools/execsnoop.py b/tools/execsnoop.py
index b3f1ae0d4ef8..468e3439912e 100755
--- a/tools/execsnoop.py
+++ b/tools/execsnoop.py
@@ -188,8 +188,9 @@ class EventType(object):
 argv = defaultdict(list)
 
 # TODO: This is best-effort PPID matching. Short-lived processes may exit
-# before we get a chance to read the PPID. This should be replaced with
-# fetching PPID via C when available (#364).
+# before we get a chance to read the PPID.
+# This is a fallback for when fetching the PPID from task->real_parent->tgip
+# returns 0, which happens in some kernel versions.
 def get_ppid(pid):
     try:
         with open("/proc/%d/status" % pid) as status: