Skip to main content
Linux vulnerability management

A CVE list is not a remediation plan.

Your scanner flags the CVE. Linux runtime state decides whether it is actually closed: old libraries still mapped, vulnerable kernels still running, restart and reboot debt hiding behind a fixed package. oxharden reconciles installed packages against running code, then hands back one action: update, restart, reboot, review, or close.

Read-only collection Works alongside your scanner No remediation during scan
acme-prod / linux-findings189 findings
Raw scanner findingsCVE list
CVE-2024-10869.8
CVE-2022-36027.5
CVE-2024-29618.1
CVE-2023-385459.8
oxharden verdictsnext action
kernelReboot host
openssl-libsRestart nginx
expatUpdate package
curlVerified fixed
CVE → ACTIONSame findings, grouped by what actually clears them.
The problem

Scanner queues pile up because the next action is unclear.

Most scanners are good at surfacing CVEs. The hard part is explaining what the Linux team should actually do next: update a package, restart a service, reboot a host, validate exposure, or close the finding with evidence.

Version-only closure

A fixed package on disk does not prove the vulnerable code stopped running.

Restart & reboot ambiguity

Teams often know something was patched, but not whether services or kernels actually moved to the fixed code.

Too many generic tickets

A CVE ticket without package, fixed version, runtime state, and action guidance just slows remediation.

Weak evidence for closure

Security needs proof the fix landed. Infrastructure needs proof the action cleared the risk.

From CVE to action

Every finding should resolve to an operational action.

Five checks turn a raw CVE into a verdict. A finding does not close until the installed version, the vendor fix, and the running code all agree — and the evidence goes with it.

01cve

CVE

Identify the affected CVEs and the exact Linux packages behind each finding.

CVE-2022-3602openssl
matched1 package
02vendor fix

Vendor-fixed version

Compare the installed package against the vendor-fixed version-release (EVR) for the distro.

installed3.0.7-18
fixed-in3.0.7-27
03running

Runtime state

Check loaded libraries, deleted mappings, long-running services, and the running kernel.

nginxold map
kernel427 ≠ 503
04verdict

Verdict

Classify the finding: update, restart, reboot, review, or clean — the exact next step.

web-01restart
db-02reboot
05evidence

Evidence

Produce a report security and infrastructure can both use to close with proof.

reportexported
re-scanverifies
Action groups

Group vulnerability work by what actually clears it.

Instead of one long CVE list, every finding lands in one of five operational buckets — a compact remediation taxonomy. The evidence table below carries the detail.

Update package

The installed package is below the vendor-fixed EVR.

e.g.expat
Restart service

The fixed package is on disk, but a service still maps the old vulnerable code.

e.g.openssl-libs
Reboot host

A fixed kernel is installed, but the vulnerable kernel is still running.

e.g.kernel
Manual review

The package is present, but reachability or service impact needs confirmation.

e.g.glibc
Close finding

The package is fixed and no stale runtime state is detected.

e.g.curl
Evidence table

The finding carries the proof with it.

Every finding, side by side: severity, affected package, installed version, vendor-fixed version, the runtime evidence that decides the verdict, and the one action left to close it.

Linux findings — work queueacme-prod · 4 findings · generated Jul 4, 2026
3 open
CVESeverityPackageInstalledVendor-fixedRuntime evidenceStatusAction
CVE CVE-2024-1086Severity 9.8Package kernelInstalled 5.14.0-427Vendor-fixed 5.14.0-503Evidence running kernel is oldStatus Reboot hostAction reboot host
CVE CVE-2022-3602Severity 7.5Package openssl-libsInstalled fixed on diskVendor-fixed 3.0.7-27Evidence old libssl mapped by nginxStatus Restart serviceAction restart nginx
CVE CVE-2024-2961Severity 8.1Package glibcInstalled fixed on diskVendor-fixed 2.34-100Evidence deleted lib mapped by long-running procsStatus Restart serviceAction restart services
CVE CVE-2023-38545Severity 9.8Package curlInstalled fixed on diskVendor-fixed 7.76.1-31Evidence no stale mapsStatus Verified fixedAction none
Status:Update packageRestartRebootReviewClean re-scan to verify
Fits your VM program

Keep your scanner. Add Linux proof.

oxharden is not trying to replace vulnerability scanners. It gives Linux teams the host-level evidence needed to explain, prioritize, and close findings with confidence.

For security teams

Cleaner handoff to infrastructure, with CVE-to-action evidence instead of generic tickets.

For infrastructure

Clear next steps: update, restart, reboot, review, or close — grouped by host.

For managers

A reportable view of what is still open, what is verified fixed, and what needs downtime.

For auditors

Host-level evidence showing what was present, what changed, and what remains.

oxharden sits next to your scanner — it adds the Linux host evidence, it does not replace detection.

Built for enterprise Linux evidence.

RHELRocky LinuxAlmaLinuxOracle LinuxAmazon Linux 2023CISDISA STIGPCICMMC

Host-level evidence for CIS, DISA STIG, PCI & CMMC workflows — oxharden supplies the proof, not the attestation.

Read-only collection
One-host snapshot available
RPM-based Linux support
Vendor advisory matching
Runtime-state evidence
No remediation during scan
Close with evidence

See what your CVE queue is missing.

Review a sample Patch Truth report or run a one-host snapshot to see how oxharden turns Linux vulnerability findings into clear remediation evidence.

Read-only snapshot available for supported RPM-based Linux hosts — or book a 15-min report review.
CVE → actionTurn Linux findings into a clear next step.
View sample report