Disk says patched. Running code may disagree.
A one-host report showing vulnerable packages, fixed versions, running-code evidence, and the next action: update, restart, reboot, review, or no action.
See the disk vs running-code evidenceThe top of a real report.
Everything a reader needs before the detail: one host, what it runs, and how much of its "patched" state is actually live.
Installed on disk vs actually running.
This is where most scanners stop. A fix being installed is not the same as the fix being live — long-running services keep mapping the old code until they restart.
Each row compares the package version on disk against the code still loaded in memory, with the process-level evidence and the exact next action. Rows highlighted below are running-code deltas.
| Package | Installed on disk | Fixed version | Running-code evidence | Status | Action |
|---|---|---|---|---|---|
| openssl-libs | 1:3.0.7-28.el9_4 | 1:3.0.7-28.el9_4 | nginx (pid 1182), postgres (pid 1547) still map libssl.so.3 @ 3.0.7-25 (deleted) | Running-code delta | Restart nginx, postgres |
| kernel | 5.14.0-503.el9 | 5.14.0-503.el9 | Fixed kernel installed, but running kernel is still 5.14.0-427.el9 | Reboot likely | Reboot host |
| glibc | 2.34-100.el9_4 | 2.34-100.el9_4 | 41 processes still map ld-linux-x86-64.so.2 @ 2.34-83 (deleted) | Restart required | Restart affected services |
| expat | 2.5.0-2.el9 | 2.5.0-3.el9_4 | Loaded by libxml2 in running services — fix not yet on disk | Package update required | Update expat, then restart |
| libxml2 | 2.9.13-6.el9 | 2.9.13-6.el9_4 | Linked into long-running services — reachability needs confirmation | Needs review | Review + restart |
| curl | 7.76.1-31.el9 | 7.76.1-31.el9 | Reloaded after update · no stale maps found | Clean | No action |
Each finding carries its remediation.
Not a raw CVE dump. Every row ties a vulnerability to the package version present, the vendor fix, the affected service, and the exact next step.
| CVE | Severity | Package | Installed → fixed | Affected service | Recommended action |
|---|---|---|---|---|---|
| CVE-2024-1086KEV | Critical | kernel | 5.14.0-427.el9→5.14.0-503.el9 | running kernel | Reboot host |
| CVE-2022-3602 | High | openssl-libs | 3.0.7-25 (mapped)→3.0.7-28.el9_4 | nginx, postgres | Restart services |
| CVE-2023-0286 | High | openssl-libs | 3.0.7-25 (mapped)→3.0.7-28.el9_4 | nginx | Restart nginx |
| CVE-2024-2961 | High | glibc | 2.34-83 (mapped)→2.34-100.el9_4 | 41 processes | Restart services |
| CVE-2023-44487 | Medium | nginx | 1.20.1-14.el9→1.20.1-16.el9_4 | nginx | Update + restart |
| CVE-2024-25062 | Medium | libxml2 | 2.9.13-6.el9→2.9.13-6.el9_4 | — | Manual review |
| CVE-2023-38545 | High | curl | 7.76.1-29.el9→7.76.1-31.el9 | — | Verified fixed |
Evidence a client, manager, or auditor can actually use.
Forwardable proof, not sales copy. Every question a reviewer asks about a host is answered on one page.
Grouped by the next operational step.
The report doesn't just say "you have CVEs." It sorts every finding into the action that clears it — so the next move is obvious.
Run a one-host snapshot
Generate your own report from one supported Linux host. Read-only, short-lived, exits after upload — no agent installed.
Book a guided demo
See oxharden on fleet data, then talk through how the report maps to your Linux environment, clients, or compliance workflow.