Does apt upgrade or dnf update cover all my CVEs?

No. The package manager only patches what it installed. Self-hosted apps pulled in via Docker images, release tarballs, or vendor scripts — Plex, Grafana, Pi-hole, the *arr suite — sit outside apt or dnf, and that is exactly where homelab CVEs accumulate. You need a scanner that inventories those services too.

Topics → CVE management

CVE management

Q: What's the difference between CVSS and EPSS?

CVSS is a 0–10 severity score that tells you how bad a vulnerability would be if exploited. EPSS is a 0–1 probability that it will actually be exploited in the next 30 days. Use EPSS to decide what to prioritise and CVSS to size the impact — a high-CVSS, low-EPSS bug can usually wait, while a KEV-listed one cannot.

Q: Do I need to patch every CVE my scanner finds?

No. A weekly scan on a small fleet returns hundreds of findings, most of them theoretical. Triage in order: anything in CISA KEV gets patched now; high-EPSS plus high-CVSS this week; high-CVSS but low-EPSS on your normal cycle; everything else is logged and ignored. Patching everything immediately is itself a reliability risk.

Q: How often should I scan for CVEs on a homelab?

A practical cadence for 5–50 hosts is a nightly scan with a monthly patch window, letting KEV-listed findings cut the queue for an out-of-band fix. Scanning frequently and patching on a cycle answer different questions — scanning detects drift, patching closes it.

The practical guide to triaging, prioritising, and patching CVEs without losing your weekend. CVSS, EPSS, KEV, exposure context, and the rules that separate "fix tonight" from "ignore for now" — written for homelab and small-fleet operators, not enterprise SOC teams.

The core problem

A weekly CVE scan on a small Linux fleet routinely returns hundreds of findings — most of them theoretical, a few genuinely urgent, and the operator's job is to tell the difference quickly. Patch everything immediately isn't a strategy; it's a reliability incident waiting to happen. Patch nothing isn't either; that's how regreSSHion ends up RCE-ing your jump box. The middle path is informed prioritisation, and it depends on three numbers most homelab operators have never had to think about.

The three numbers that matter

Every modern CVE triage decision rests on three signals:

CVSS — the severity score, 0-10, published by NVD. Tells you how bad would this be if exploited. It does not tell you whether anyone is actually exploiting it.
EPSS — the Exploit Prediction Scoring System, a 0-1 probability that a CVE will be exploited in the next 30 days. Tells you how likely is it. Far better signal than CVSS for triage. See the deep dive in EPSS explained — when CVSS isn't enough.
CISA KEV — the Known Exploited Vulnerabilities catalogue. Binary signal: is this CVE confirmed exploited in the wild? If yes, you patch now regardless of CVSS score. The KEV catalogue is the single highest-precision triage signal you have.

Together they form the canonical CVE triage matrix: KEV-listed → patch immediately; high-EPSS + high-CVSS → patch this week; high-CVSS but low-EPSS → patch on cycle; everything else → log and ignore. The full decision tree, with worked examples, is in how to triage CVE findings: critical, high, medium, and "ignore for now".

Glossary first

Before you can triage, you need to know what the acronyms actually mean. CVE, CVSS, CWE, CPE, KEV, EPSS, NVD, SBOM — there are 13 of them in routine use, all genuinely necessary, none self-explanatory. CVE, CVSS, CWE, CPE: a plain-English glossary walks through each one in the order you'll meet them.

Patching cadence

The cadence question — daily? weekly? monthly? — has a practical answer for fleets of 5-50 hosts: nightly scan, monthly patch window, with KEV findings cutting the queue. The reasoning is in how often should you scan your homelab.

Two related traps: continuous CVE scanning vs periodic patching covers why scan frequency and patch frequency answer different questions (scan finds drift, patch fixes it — they're not substitutes). And the patching gap covers why apt upgrade alone misses Plex, Grafana, Pi-hole, and the *arr suite — the software where homelab CVEs actually accumulate.

The full reading list

How to triage CVE findings: critical, high, medium, and "ignore for now"
The decision matrix homelab operators actually need. CVSS, KEV, EPSS, exposure context — combined.
EPSS explained — when CVSS isn't enough
How EPSS is built, why it complements (not replaces) CVSS, and how to combine all three signals (CVSS + EPSS + KEV).
CVE, CVSS, CWE, CPE: a plain-English glossary
13 vulnerability and security acronyms decoded. Bookmark this if you're new to the field.
Continuous CVE scanning vs periodic patching
Why patching alone misses what scanning catches — and why "do both" is the right answer.
The patching gap for self-hosted services
apt upgrade doesn't touch your homelab's most-attacked surfaces. How to close the gap.
How often should you scan your homelab?
Daily, weekly, monthly? The cadence question, with a practical answer for 5-50 host fleets.

Worked examples — recent CVEs in homelabs

Theory is fine; worked examples make it concrete. Each of the posts below applies the triage framework to a real CVE that hit homelabs.

regreSSHion (CVE-2024-6387)
OpenSSH signal-handler race producing pre-auth RCE on glibc Linux. KEV-listed, high-EPSS, immediate-patch territory.
CVE-2024-3094 (xz/liblzma backdoor)
The 2024 supply-chain backdoor in xz-utils. What it actually did, who shipped affected versions, what supply-chain hygiene a homelab can practice.
CVE-2022-3602 and CVE-2022-3786 (OpenSSL)
The X.509 email-address buffer overflows. How to find affected hosts across your fleet — and why these scored lower than the initial panic suggested.
CVE-2024-21626 (runc container breakout)
A file-descriptor leak in runc letting a container escape to the host. Why it matters on a Proxmox or Docker homelab, and how to spot vulnerable runtimes.
CVE-2024-47176 (CUPS on your LAN)
The cups-browsed exposure that turned a printing service into a remote-code-execution path. How exposure context, not just CVSS, decides urgency here.
CVE-2023-4863 (libwebp bundled everywhere)
A heap overflow in a library bundled into dozens of apps — the canonical example of why package-manager updates alone miss vendored dependencies.

Tooling that fits the homelab shape

Noxen is a Mac-native CVE scanner built around this triage philosophy. It pulls a daily NVD/OSV feed, matches it against installed packages on your remote Linux hosts over SSH, and surfaces findings ranked by KEV / EPSS / CVSS — not by raw CVSS alone. It's the version of Nessus that fits a homelab budget and homelab shape.

Frequently asked

What's the difference between CVSS and EPSS?

CVSS (0–10) tells you how bad a vulnerability would be if exploited; EPSS (0–1) tells you how likely it is to be exploited in the next 30 days. Prioritise with EPSS, size impact with CVSS — and let EPSS and KEV override raw severity.

Do I need to patch every CVE my scanner finds?

No. Triage in order: CISA KEV → patch now; high-EPSS + high-CVSS → this week; high-CVSS, low-EPSS → on cycle; everything else → log and ignore. Patching everything immediately is its own reliability risk.

How often should I scan for CVEs on a homelab?

Nightly scan, monthly patch window, KEV findings cutting the queue — the reasoning is in how often should you scan your homelab.

Does `apt upgrade` cover all my CVEs?

No — it only patches what the package manager installed. Self-hosted apps (Plex, Grafana, Pi-hole, the *arr suite) live outside it, and that's where homelab CVEs pile up. See the patching gap.