CVE coverage
Rocky Linux 9 CVE tracker
Noxen pulls Rocky Linux 9 CVE data from the same upstream sources Red Hat publishes against (RHEL 9 binary-compatible). NVD provides the upstream advisory; OSV's Red Hat ecosystem feed provides the rpm-level fix versions.
Live
Headline numbers
- Total CVE records (all distros)Loading…
- Last buildLoading…
- OSV records (RH ecosystem + others)Loading…
- NVD records (cross-platform)Loading…
How matching works
What Noxen does for a Rocky 9 host
- Reads
/etc/os-releaseto confirm Rocky 9 (RHEL 9 binary-compatible). - Reads
rpm -qafor installed packages, including epoch and release. - Filters the local feed cache to OSV records tagged with ecosystem
Rocky Linux:9 / Red Hat:9, plus NVD records whose CPE matches the installed packages. - Compares installed vs fix versions using rpm version semantics (epoch:version-release).
- Emits findings only where the installed version is strictly older than the fix.
Live listings
Top recent critical CVEs (Red Hat ecosystem (RHEL / Rocky / AlmaLinux))
Most-recently-published critical CVEs in the Red Hat ecosystem (RHEL / Rocky / AlmaLinux). Auto-deduped to one row per CVE ID. Snapshot baked at ; live re-fetch on page load.
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| RLSA-2026:22963 | critical | 9.0 | Critical: samba security update | samba | 0:4.23.5-109.el10_2 | |
| RLSA-2026:22714 | critical | 9.1 | Important: osbuild-composer security update | osbuild-composer | 0:165.1-2.el9_8.rocky.0.1 | |
| RLSA-2026:22644 | critical | 9.0 | Important: samba security update | samba | 0:4.19.4-16.el8_10 | |
| RLSA-2026:22450 | critical | 9.1 | Important: osbuild-composer security update | osbuild-composer | 0:165.1-2.el10_2.rocky.0.1 | |
| RLSA-2026:22937 | critical | 9.1 | Important: image-builder security update | image-builder | 0:52.1-1.el10_2.rocky.0.1 | |
| RLSA-2026:23228 | critical | 9.1 | Important: image-builder security update | image-builder | 0:52.1-1.el9_8 | |
| RLSA-2026:21755 | critical | 9.0 | Important: flatpak security update | flatpak | 0:1.12.9-4.el9_8.1 | |
| RLSA-2026:20606 | critical | 9.1 | Important: ruby4.0 security update | ruby4.0 | 0:4.0.3-34.el10_2 |
Top recent high-severity CVEs (Red Hat ecosystem (RHEL / Rocky / AlmaLinux))
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| RLSA-2026:25120 | high | 8.8 | Critical: kernel-rt security update | kernel-rt | 0:4.18.0-553.132.1.rt7.473.el8_10 | |
| RLSA-2026:25121 | high | 8.8 | Critical: kernel security update | kernel | 0:4.18.0-553.132.1.el8_10 | |
| RLSA-2026:24984 | high | 7.8 | Important: poppler security update | poppler | 0:20.11.0-14.el8_10 | |
| RLSA-2026:25110 | high | 7.5 | Important: .NET 8.0 security update | dotnet8.0 | 0:8.0.128-1.el8_10 | |
| RLSA-2026:25113 | high | 7.5 | Important: .NET 9.0 security update | dotnet9.0 | 0:9.0.118-1.el8_10 | |
| RLSA-2026:25114 | high | 7.5 | Important: .NET 10.0 security update | dotnet10.0 | 0:10.0.109-1.el8_10 | |
| RLSA-2026:24331 | high | 8.2 | Important: cockpit-image-builder security update | cockpit-image-builder | 0:94.3-1.el10_2 | |
| RLSA-2026:24716 | high | 7.8 | Important: yggdrasil security update | yggdrasil | 0:0.4.9-5.el10_2 |
Notable
Recent CVEs that Rocky 9 homelabs care about.
- CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Red Hat advisory · Noxen deep-dive.
- CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Red Hat advisory.
- CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Red Hat advisory · Noxen deep-dive.
FAQ
Frequently asked about Rocky 9 CVEs
How is Rocky Linux 9 different from RHEL 9 for CVE tracking?
Rocky Linux 9 is binary-compatible with RHEL 9. Fixes land in Rocky errata within days of the corresponding RHEL release. Noxen matches against the Red Hat ecosystem feed plus Rocky errata to capture both channels.
How do I check Rocky 9 CVEs on a host?
For a quick check: dnf updateinfo list security. For per-CVE detail with fix versions, Noxen reads rpm package state over SSH and matches against the live ecosystem feed using rpm version semantics.
Will Noxen flag a CVE that Rocky Linux 9 has already backported a fix for?
No. Red Hat-family distros backport security fixes without changing the upstream version number — the fix shows up as a higher release field (the part after the dash in epoch:version-release). Noxen compares the installed epoch:version-release against the fixed package version using rpm version semantics, so a host that has applied the backported errata is correctly shown as patched rather than as a false positive.
Which Rocky Linux 9 CVEs should I patch first?
Severity alone is a poor sort key. Noxen ranks findings by exposure first — a high-severity CVE in a package behind an internet-facing service outranks a critical one in a library nothing reaches — then by CVSS and EPSS. The EPSS prioritisation guide walks through the reasoning.
Scan a Rocky 9 fleet with Noxen
Add your Rocky 9 hosts via your existing
~/.ssh/config; Noxen reads rpm package state and
matches against the live signed feed. No agent, no SaaS round-trip.
$79 one-time.