CVE coverage
Rocky Linux 8 CVE tracker
Noxen pulls Rocky Linux 8 CVE data from the same upstream sources Red Hat publishes against (RHEL 8 binary-compatible). NVD provides the upstream advisory; OSV's Red Hat ecosystem feed provides the rpm-level fix versions. Rocky 8 has active maintenance through May 2029.
Live
Headline numbers
- Total CVE records (all distros)Loading…
- Last buildLoading…
- OSV records (RH ecosystem + others)Loading…
- NVD records (cross-platform)Loading…
How matching works
What Noxen does for a Rocky 8 host
- Reads
/etc/os-releaseto confirm Rocky 8 (RHEL 9 binary-compatible). - Reads
rpm -qafor installed packages, including epoch and release. - Filters the local feed cache to OSV records tagged with ecosystem
Rocky Linux:8 / Red Hat:8, plus NVD records whose CPE matches the installed packages. - Compares installed vs fix versions using rpm version semantics (epoch:version-release).
- Emits findings only where the installed version is strictly older than the fix.
Live listings
Top recent critical CVEs (Red Hat ecosystem (RHEL / Rocky / AlmaLinux))
Most-recently-published critical CVEs in the Red Hat ecosystem (RHEL / Rocky / AlmaLinux). Auto-deduped to one row per CVE ID. Snapshot baked at ; live re-fetch on page load.
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| RLSA-2026:22450 | critical | 9.1 | Important: osbuild-composer security update | osbuild-composer | 0:165.1-2.el10_2.rocky.0.1 | |
| RLSA-2026:22937 | critical | 9.1 | Important: image-builder security update | image-builder | 0:52.1-1.el10_2.rocky.0.1 | |
| RLSA-2026:23228 | critical | 9.1 | Important: image-builder security update | image-builder | 0:52.1-1.el9_8 | |
| RLSA-2026:21755 | critical | 9.0 | Important: flatpak security update | flatpak | 0:1.12.9-4.el9_8.1 | |
| RLSA-2026:20606 | critical | 9.1 | Important: ruby4.0 security update | ruby4.0 | 0:4.0.3-34.el10_2 | |
| RLSA-2026:21757 | critical | 9.0 | Important: flatpak security update | flatpak | 0:1.16.0-9.el10_2.1 | |
| RLSA-2024:8834 | critical | 9.1 | Important: python-gevent security update | python-gevent | 0:1.2.2-5.el8 | |
| RLSA-2026:19135 | critical | 9.1 | Important: opentelemetry-collector security update | opentelemetry-collector | 0:0.144.0-2.el10_2 |
Top recent high-severity CVEs (Red Hat ecosystem (RHEL / Rocky / AlmaLinux))
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| RLSA-2026:23231 | high | 8.1 | Important: unbound security update | unbound | 0:1.24.2-7.el10_2.1 | |
| RLSA-2026:23388 | high | 7.5 | Important: php security update | php | 0:8.3.31-1.el10_2 | |
| RLSA-2026:22643 | high | 7.5 | Important: thunderbird security update | thunderbird | 0:140.11.0-1.el8_10 | |
| RLSA-2026:23360 | high | 7.5 | Important: bind9.16 security update | bind9.16 | 2:9.16.23-0.22.el8_10.6 | |
| RLSA-2026:20613 | high | 8.2 | Important: gnutls security update | gnutls | 0:3.8.10-4.el10_2 | |
| RLSA-2026:22649 | high | 8.2 | Important: php8.4 security update | php8.4 | 0:8.4.21-1.el10_2 | |
| RLSA-2026:22141 | high | 7.8 | Moderate: go-fdo-client and go-fdo-server security update | go-fdo-server | 0:1.0.1-2.el10_2 | |
| RLSA-2026:22145 | high | 7.5 | Important: .NET 10.0 security update | dotnet10.0 | 0:10.0.108-1.el10_2 |
Notable
Recent CVEs that Rocky 8 fleets care about.
- CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Red Hat advisory · Noxen deep-dive.
- CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Red Hat advisory.
- CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Red Hat advisory · Noxen deep-dive.
FAQ
Frequently asked about Rocky 8 CVEs
Is Rocky Linux 8 still supported in 2026?
Yes — Rocky Linux 8 tracks RHEL 8's active maintenance phase through May 2029. Security errata land in lockstep with Red Hat; the Rocky project publishes its own errata stream cross-referenced with the RHEL channel.
How is Rocky 8 different from Rocky 9 for CVE tracking?
Different package version sets, different backport lines. The same upstream CVE typically has separate fix versions in the RHEL 8 channel and the RHEL 9 channel. Noxen reads rpm -qa and /etc/os-release to pick the right ecosystem filter automatically.
How do I check Rocky 8 CVEs on a host?
For a quick check: dnf updateinfo list security. For per-CVE detail with fix versions, Noxen reads rpm package state over SSH and matches against the live ecosystem feed using rpm version semantics.
Will Noxen flag a CVE that Rocky Linux 8 has already backported a fix for?
No. Red Hat-family distros backport security fixes without changing the upstream version number — the fix shows up as a higher release field (the part after the dash in epoch:version-release). Noxen compares the installed epoch:version-release against the fixed package version using rpm version semantics, so a host that has applied the backported errata is correctly shown as patched rather than as a false positive.
Which Rocky Linux 8 CVEs should I patch first?
Severity alone is a poor sort key. Noxen ranks findings by exposure first — a high-severity CVE in a package behind an internet-facing service outranks a critical one in a library nothing reaches — then by CVSS and EPSS. The EPSS prioritisation guide walks through the reasoning.
Scan a Rocky 8 fleet with Noxen
Add your Rocky 8 hosts via your existing
~/.ssh/config; Noxen reads rpm package state and
matches against the live signed feed. No agent, no SaaS round-trip.
$79 one-time.