How to patch Linux CVEs in 2026

1. Detect — the 5-second quickscan

The first job is figuring out which CVEs apply to your stack right now. Reading every USN advisory by hand is the manual version of this. The fast version is one curl command.

curl https://mindsparkstack.com/scan.sh | bash

That reads /etc/os-release, uname -r, and the top 200 installed packages from your distro's package manager (dpkg-query / apk info / rpm -qa), POSTs them to a public matcher API, and prints any CVEs that match against the cached Ubuntu USN, Debian Security Tracker, Alpine secdb, AlmaLinux, and Rocky Linux feeds. Source is rendered as text/plain so you can read it before piping.

Anonymous, no signup, no card. Form-based version if you can't pipe-to-bash.

2. Classify — five playbook classes

Every CVE finding falls into one of five buckets. Knowing which bucket dictates the remediation command and the urgency. Full reference at /patch/playbook.

• apt_upgrade

  Standard package vulnerability with a fix in the regular apt repo. No reboot, existing service connections survive. The most common case.

• apt_upgrade_esm

  Fix is in Ubuntu Pro / ESM, not the standard repo. Free for personal + small-team use; attach a Pro token first.

• kernel_reboot

  Kernel-level vulnerability. Apt installs the patched linux-image, but the running kernel stays vulnerable until reboot.

• modprobe_blacklist

  Unfixed kernel CVE where the upstream patch isn't in your distro yet. Persistent modprobe blacklist removes the attack surface without a reboot. Used for CVE-2026-31431 (Copy Fail).

• mitigated

  Already covered by an active mitigation file in /etc/modprobe.d/. Auto-clears when a patched package is installed.

3. Remediate — exact commands per distro

Each distro has its own package manager. The shape of the command is the same; the binary differs. Always include --only-upgrade(or distro equivalent) so you don't accidentally pull in something new.

dpkg -l <package>

sudo apt-get update && sudo apt-get install --only-upgrade -y <package>

sudo apt-get install --only-upgrade -y linux-image-generic && sudo reboot

apk info -v <package>

apk update && apk add --upgrade <package>

apk add --upgrade linux-virt && reboot

rpm -q <package>

sudo dnf upgrade -y <package>

sudo dnf upgrade -y kernel && sudo reboot

4. Verify — confirm the fix landed

Don't assume apt installexit code 0 means you're patched. Re-run the quickscan, or compare versions directly:

# After patching openssh-server on Ubuntu 24.04
dpkg -l openssh-server | grep ^ii
# Expect version ≥ 1:9.6p1-3ubuntu13.16

# Or just re-run the quickscan
curl https://mindsparkstack.com/scan.sh | bash

For kernel CVEs, also verify the running kernel matches the latest installed:

uname -r                        # running kernel
dpkg -l linux-image-* | grep ii # installed kernels — pick latest
# If those differ → reboot needed

5. Prove — share the audit URL

Patching is half the battle. The other half is convincing customers, prospects, and security questionnaires that you actually do it. This is where most indie SaaS founders punt: “we keep things updated” doesn't close security-due-diligence questions on a $3K/year contract.

StackPatch generates a public audit URL per monitored server. Active findings, applied mitigations, recent resolutions, package + container counts, kernel state. Updated hourly. Live demo here — that's our own VPS, no NDA, no signup.

We use StackPatch for continuous CVE monitoring on our infrastructure. Live audit page:
https://mindsparkstack.com/patch/audit/<your-server-slug>

Updates hourly. Active findings, applied mitigations, and recent resolutions are all visible
without an account.

6. Cadence — what to automate

Manual patching is fine for a quarterly sweep but loses to automation when CVEs drop multiple times per week (which they do — see the 7-day digest). Minimum viable automation:

• Hourly: inventory snapshot of installed packages.
• Hourly: match inventory against the latest CVE feeds.
• Per-finding: email or Discord/Slack webhook alert.
• Weekly digest: what landed, what's outstanding.
• Always: public audit URL for due diligence.

That's exactly what StackPatch ships. $99 lifetime founder seat (50 only) covers 3 servers, hourly scan, email + webhook alerts, public audit URL. Honest comparison vs vuls.io if you want to roll your own.

7. Common mistakes

• Assuming `apt upgrade` is a CVE-aware operation. It isn't. It pulls every available newer version, which can break things. Use --only-upgrade targeting the specific package and pin the version when remediating a single CVE.
• Forgetting the kernel reboot. Running kernels stay vulnerable even after a successful apt install linux-image. uname -r vs the latest installed kernel is the source-of-truth check.
• Treating ESM CVEs as “not applicable.” Ubuntu Pro is free for 5 personal-use machines; the fix is one pro attach away. Skipping ESM-only fixes leaves real exposure on the table.
• Not verifying. Apt exit code 0 doesn't mean the package upgraded — sometimes it skips silently if a hold is set or the repo is stale.
• Patching without proof. If a customer asks “how do you handle security updates?”, “we update regularly” is a stalling answer. A live audit URL closes the question.
• Internet-exposed admin UIs. n8n, traefik dashboards, vault UIs — anything with a default port that's “just for testing” ends up scanned. We learned this the hard way (2026-05-01 postmortem).