CVE coverage
Rocky Linux 8 CVE tracker
Noxen pulls Rocky Linux 8 CVE data from the same upstream sources Red Hat publishes against (RHEL 8 binary-compatible). NVD provides the upstream advisory; OSV's Red Hat ecosystem feed provides the rpm-level fix versions. Rocky 8 has active maintenance through May 2029.
Live
Headline numbers
- Total CVE records (all distros)Loading…
- Last buildLoading…
- OSV records (RH ecosystem + others)Loading…
- NVD records (cross-platform)Loading…
How matching works
What Noxen does for a Rocky 8 host
- Reads
/etc/os-releaseto confirm Rocky 8 (RHEL 9 binary-compatible). - Reads
rpm -qafor installed packages, including epoch and release. - Filters the local feed cache to OSV records tagged with ecosystem
Rocky Linux:8 / Red Hat:8, plus NVD records whose CPE matches the installed packages. - Compares installed vs fix versions using rpm version semantics (epoch:version-release).
- Emits findings only where the installed version is strictly older than the fix.
Live listings
Top recent critical CVEs (Red Hat ecosystem (RHEL / Rocky / AlmaLinux))
Most-recently-published critical CVEs in the Red Hat ecosystem (RHEL / Rocky / AlmaLinux). Auto-deduped to one row per CVE ID. Snapshot baked at ; live re-fetch on page load.
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| RLSA-2026:26228 | critical | 9.8 | Important: hplip security update | hplip | 0:3.23.12-10.el10_2.4 | |
| RLSA-2026:26297 | critical | 9.8 | Important: hplip security update | hplip | 0:3.21.2-6.el9_8.4 | |
| RLSA-2026:26335 | critical | 9.8 | Important: hplip security update | hplip | 0:3.18.4-13.el8_10 | |
| RLSA-2026:25237 | critical | 9.1 | Important: openssl security update | openssl | 1:3.5.5-4.el10_2 | |
| RLSA-2026:25239 | critical | 9.1 | Important: openssl security update | openssl | 1:3.5.5-4.el9_8 | |
| RLSA-2026:25049 | critical | 9.0 | Critical: samba security update | samba | 0:4.23.5-10.el9_8 | |
| RLSA-2026:22963 | critical | 9.0 | Critical: samba security update | samba | 0:4.23.5-109.el10_2 | |
| RLSA-2026:22714 | critical | 9.1 | Important: osbuild-composer security update | osbuild-composer | 0:165.1-2.el9_8.rocky.0.1 |
Top recent high-severity CVEs (Red Hat ecosystem (RHEL / Rocky / AlmaLinux))
| CVE | Sev. | CVSS | Summary | Package | Fix in | Published |
|---|---|---|---|---|---|---|
| RLSA-2026:30851 | high | 8.2 | Important: perl:5.32 security update | perl | 4:5.32.1-474.module+el8.10.0+40155+64ce2d41 | |
| RLSA-2023:2589 | high | 7.3 | Moderate: autotrace security update | autotrace | 0:0.31.1-65.el9 | |
| RLSA-2022:5597 | high | 8.8 | Important: pandoc security update | pandoc | 0:2.0.6-6.el8_6 | |
| RLSA-2023:3067 | high | 7.3 | Moderate: autotrace security update | autotrace | 0:0.31.1-55.el8 | |
| RLSA-2023:3087 | high | 7.5 | Important: mysql:8.0 security, bug fix, and enhancement update | mecab | 0:0.996-2.module+el8.10.0+1676+9b4b6e24 | |
| RLSA-2026:30129 | high | 7.3 | Important: kernel security, bug fix, and enhancement update | kernel | 0:6.12.0-211.28.1.el10_2 | |
| RLSA-2026:28581 | high | 7.1 | Important: python3.14 security, bug fix, and enhancement update | python3.14 | 0:3.14.5-1.el10_2 | |
| RLSA-2023:6976 | high | 7.8 | Moderate: libfastjson security update | libfastjson | 0:0.99.9-2.el8 |
Notable
Recent CVEs that Rocky 8 fleets care about.
- CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Red Hat advisory · Noxen deep-dive.
- CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Red Hat advisory.
- CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Red Hat advisory · Noxen deep-dive.
FAQ
Frequently asked about Rocky 8 CVEs
Is Rocky Linux 8 still supported in 2026?
Yes — Rocky Linux 8 tracks RHEL 8's active maintenance phase through May 2029. Security errata land in lockstep with Red Hat; the Rocky project publishes its own errata stream cross-referenced with the RHEL channel.
How is Rocky 8 different from Rocky 9 for CVE tracking?
Different package version sets, different backport lines. The same upstream CVE typically has separate fix versions in the RHEL 8 channel and the RHEL 9 channel. Noxen reads rpm -qa and /etc/os-release to pick the right ecosystem filter automatically.
How do I check Rocky 8 CVEs on a host?
For a quick check: dnf updateinfo list security. For per-CVE detail with fix versions, Noxen reads rpm package state over SSH and matches against the live ecosystem feed using rpm version semantics.
Will Noxen flag a CVE that Rocky Linux 8 has already backported a fix for?
No. Red Hat-family distros backport security fixes without changing the upstream version number — the fix shows up as a higher release field (the part after the dash in epoch:version-release). Noxen compares the installed epoch:version-release against the fixed package version using rpm version semantics, so a host that has applied the backported errata is correctly shown as patched rather than as a false positive.
Which Rocky Linux 8 CVEs should I patch first?
Severity alone is a poor sort key. Noxen ranks findings by exposure first — a high-severity CVE in a package behind an internet-facing service outranks a critical one in a library nothing reaches — then by CVSS and EPSS. The EPSS prioritisation guide walks through the reasoning.
Scan a Rocky 8 fleet with Noxen
Add your Rocky 8 hosts via your existing
~/.ssh/config; Noxen reads rpm package state and
matches against the live signed feed. No agent, no SaaS round-trip.
$79 one-time.