A CVE list is not a remediation plan.
Your scanner flags the CVE. Linux runtime state decides whether it is actually closed: old libraries still mapped, vulnerable kernels still running, restart and reboot debt hiding behind a fixed package. oxharden reconciles installed packages against running code, then hands back one action: update, restart, reboot, review, or close.
Scanner queues pile up because the next action is unclear.
Most scanners are good at surfacing CVEs. The hard part is explaining what the Linux team should actually do next: update a package, restart a service, reboot a host, validate exposure, or close the finding with evidence.
Version-only closure
A fixed package on disk does not prove the vulnerable code stopped running.
Restart & reboot ambiguity
Teams often know something was patched, but not whether services or kernels actually moved to the fixed code.
Too many generic tickets
A CVE ticket without package, fixed version, runtime state, and action guidance just slows remediation.
Weak evidence for closure
Security needs proof the fix landed. Infrastructure needs proof the action cleared the risk.
Every finding should resolve to an operational action.
Five checks turn a raw CVE into a verdict. A finding does not close until the installed version, the vendor fix, and the running code all agree — and the evidence goes with it.
CVE
Identify the affected CVEs and the exact Linux packages behind each finding.
Vendor-fixed version
Compare the installed package against the vendor-fixed version-release (EVR) for the distro.
Runtime state
Check loaded libraries, deleted mappings, long-running services, and the running kernel.
Verdict
Classify the finding: update, restart, reboot, review, or clean — the exact next step.
Evidence
Produce a report security and infrastructure can both use to close with proof.
Group vulnerability work by what actually clears it.
Instead of one long CVE list, every finding lands in one of five operational buckets — a compact remediation taxonomy. The evidence table below carries the detail.
The installed package is below the vendor-fixed EVR.
The fixed package is on disk, but a service still maps the old vulnerable code.
A fixed kernel is installed, but the vulnerable kernel is still running.
The package is present, but reachability or service impact needs confirmation.
The package is fixed and no stale runtime state is detected.
The finding carries the proof with it.
Every finding, side by side: severity, affected package, installed version, vendor-fixed version, the runtime evidence that decides the verdict, and the one action left to close it.
| CVE | Severity | Package | Installed | Vendor-fixed | Runtime evidence | Status | Action |
|---|---|---|---|---|---|---|---|
| CVE CVE-2024-1086 | Severity 9.8 | Package kernel | Installed 5.14.0-427 | Vendor-fixed 5.14.0-503 | Evidence running kernel is old | Status Reboot host | Action reboot host |
| CVE CVE-2022-3602 | Severity 7.5 | Package openssl-libs | Installed fixed on disk | Vendor-fixed 3.0.7-27 | Evidence old libssl mapped by nginx | Status Restart service | Action restart nginx |
| CVE CVE-2024-2961 | Severity 8.1 | Package glibc | Installed fixed on disk | Vendor-fixed 2.34-100 | Evidence deleted lib mapped by long-running procs | Status Restart service | Action restart services |
| CVE CVE-2023-38545 | Severity 9.8 | Package curl | Installed fixed on disk | Vendor-fixed 7.76.1-31 | Evidence no stale maps | Status Verified fixed | Action none |
Keep your scanner. Add Linux proof.
oxharden is not trying to replace vulnerability scanners. It gives Linux teams the host-level evidence needed to explain, prioritize, and close findings with confidence.
Cleaner handoff to infrastructure, with CVE-to-action evidence instead of generic tickets.
Clear next steps: update, restart, reboot, review, or close — grouped by host.
A reportable view of what is still open, what is verified fixed, and what needs downtime.
Host-level evidence showing what was present, what changed, and what remains.
Built for enterprise Linux evidence.
Host-level evidence for CIS, DISA STIG, PCI & CMMC workflows — oxharden supplies the proof, not the attestation.
See what your CVE queue is missing.
Review a sample Patch Truth report or run a one-host snapshot to see how oxharden turns Linux vulnerability findings into clear remediation evidence.