JM Field — Linux VM Patch Audit

2026-06-01 5 Proxmox nodes (PVE 9.1) 19 Linux systems

Kernel patches pending on 12 VMs: VMID 142 (MySQL-Dev-2), VMID 145 (FreePBX-v17), VMID 137 (Enhance-Backup-Server), VMID 121 (aivscripttesting3.202), VMID 151 (jmfweb01), VMID 141 (WebServer-Enhance), VMID 123 (API-Server-3.244), VMID 120 (MySQL-Dev-Server-3.210), +4 more. CVE-2026-31431 Dirty Frag = local→root. Mitigation if reboot not possible: disable esp4, esp6, rxrpc modules.
1 VM running stale kernel — installed != running. Reboot to activate patches.
CVE-2026-31431 Dirty Frag (local→root) — 44 pkg upgrades
init / service-mgr — full system compromise — 13 pkg upgrades
glibc — used by ~everything — 10 pkg upgrades
package mgr supply chain — 5 pkg upgrades
remote access vector — 4 pkg upgrades
TLS/crypto — 2 pkg upgrades

Summary cluster-wide Linux only — Windows VMs excluded

Pending Patches

578

across 15 systems

Security Patches

155

-security pocket / updateinfo

High-Risk Hits

watchlist pkgs upgradable

Kernel Pending

VMs awaiting reboot

EOL Systems

none

Heavy Backlogs (≥150)

VM 142

Needs Reboot

running != installed kernel

Recently Patched

≤10 pending

VMID	Hostname	Node	OS	Upgradable	Sec	High-Risk Pkgs	Flags	Tier
142	MySQL-Dev-2	JMFPMX02	Ubuntu 24.04 LTS	211	—	apt-utils apt linux-generic linux-headers-generic +7	KERNEL	Critical
145	FreePBX-v17	JMFPMX03	Debian GNU/Linux 12 (bookworm)	134	68	dpkg-dev dpkg libc6-dev libc6 +7	KERNEL	High
137	Enhance-Backup-Server	JMFPMX03	Ubuntu 24.04.4 LTS	70	50	dpkg linux-generic linux-headers-generic linux-image-extra-virtual +3	KERNEL	High
151	jmfweb01	JMFPMX05	Ubuntu 24.04.4 LTS	36	—	linux-headers-generic linux-headers-virtual linux-image-virtual systemd-dev +4	KERNEL	Medium
141	WebServer-Enhance	JMFPMX04	Ubuntu 24.04.4 LTS	21	—	linux-generic linux-headers-generic linux-image-extra-virtual linux-image-generic	KERNEL	Medium
122	aivqueue-3.216	JMFPMX01	Ubuntu 22.04.5 LTS	12	—	—	—	Medium
123	API-Server-3.244	JMFPMX01	Ubuntu 24.04.4 LTS	8	—	linux-generic linux-headers-generic linux-image-generic	KERNEL REBOOT	Low
120	MySQL-Dev-Server-3.210	JMFPMX02	Ubuntu 24.04.4 LTS	7	—	linux-generic linux-headers-generic linux-image-generic	KERNEL	Low
9241	aivqueue3 (external 3.241)	external	Ubuntu 24.04.1 LTS	7	—	linux-generic linux-headers-generic linux-image-generic	KERNEL	Low
132	aivtpcserver-3.217	JMFPMX04	Ubuntu 24.04.4 LTS	6	—	linux-generic linux-headers-generic linux-image-generic	KERNEL	Low
139	callcenter	JMFPMX03	Ubuntu 24.04.4 LTS	6	—	linux-generic linux-headers-generic linux-image-generic	KERNEL	Low
130	MariaDB-3.230	JMFPMX05	Ubuntu 22.04.5 LTS	5	—	—	—	Low
149	claude-automation	JMFPMX03	Ubuntu 24.04.4 LTS	4	4	linux-headers-generic linux-headers-virtual linux-image-virtual	KERNEL	Low

VMID	Hostname	Node	OS	Sec	High-Risk Pkgs	Flags	Status
121	aivscripttesting3.202	JMFPMX02	AlmaLinux 8.10 (Cerulean Leopard)	33	glibc glibc-all-langpacks glibc-common glibc-devel +15	KERNEL	51 pending
126	aivscript-3.240	JMFPMX04	CentOS Linux 7 (Core)	—	—	—	Current
114	FTP-Production	JMFPMX02	AlmaLinux 10.1 (Heliotrope Lion)	—	—	—	Unreachable

Linux Kernel CVE-2026-31431 Dirty Frag — local user → root. Mitigation if not patched: disable esp4, esp6, rxrpc modules.
Container Runtimes — Copy Fail — container escape vector. Affects containerd, docker.io/docker-ce, runc, cri-o after kernel CVEs.

Package managers themselves — apt, dnf, yum, dpkg, rpm. Patched before any other update.

Debian/Ubuntu: cat /var/run/reboot-required
RHEL/Fedora: dnf needs-restarting -r
For 0-day kernel CVEs, prefer live-patching: Canonical Livepatch / KernelCare / Oracle Ksplice to avoid downtime.

Cluster-wide enumeration via pvesh get /cluster/resources --type vm
OS detection via QEMU guest-agent get-osinfo (Windows VMs filtered out)
Patch counts for Debian/Ubuntu via guest-exec apt list --upgradable / pct exec for LXC
RHEL family scanned via direct SSH (guest-exec disabled by default policy)
15 of 19 Linux systems returned a numeric patch count this run
Generated automatically by /opt/jmfield-patch-audit/scripts/run-monthly.sh on JMFPMX04 monthly cron

Generated 2026-06-01T14:05:40Z — internal audit, not for redistribution. audit.json raw data alongside this page.