JM Field — Linux VM Patch Audit

2026-06-15 5 Proxmox nodes (PVE 9.1) 19 Linux systems

Kernel patches pending on 3 VMs: VMID 137 (Enhance-Backup-Server), VMID 121 (aivscripttesting3.202), VMID 149 (claude-automation). CVE-2026-31431 Dirty Frag = local→root. Mitigation if reboot not possible: disable esp4, esp6, rxrpc modules.
9 VMs running stale kernel — installed != running. Reboot to activate patches.
CVE-2026-31431 Dirty Frag (local→root) — 24 pkg upgrades
glibc — used by ~everything — 8 pkg upgrades
init / service-mgr — full system compromise — 6 pkg upgrades
package mgr supply chain — 3 pkg upgrades
remote access vector — 2 pkg upgrades
TLS/crypto — 1 pkg upgrade

Summary cluster-wide Linux only — Windows VMs excluded

Pending Patches

570

across 15 systems

Security Patches

216

-security pocket / updateinfo

High-Risk Hits

watchlist pkgs upgradable

Kernel Pending

VMs awaiting reboot

EOL Systems

none

Heavy Backlogs (≥150)

VM 142

Needs Reboot

running != installed kernel

Recently Patched

≤10 pending

VMID	Hostname	Node	OS	Upgradable	Sec	High-Risk Pkgs	Flags	Tier
142	MySQL-Dev-2	JMFPMX02	Ubuntu 24.04 LTS	197	2	apt-utils apt systemd-hwe-hwdb	REBOOT	Critical
137	Enhance-Backup-Server	JMFPMX03	Ubuntu 24.04.4 LTS	114	92	dpkg linux-generic linux-headers-generic linux-image-extra-virtual +9	KERNEL	High
123	API-Server-3.244	JMFPMX01	Ubuntu 24.04.4 LTS	39	19	—	REBOOT	Medium
141	EnhancePanel-3.212	JMFPMX04	Ubuntu 24.04.4 LTS	33	18	—	—	Medium
151	jmfweb01	JMFPMX05	Ubuntu 24.04.4 LTS	23	—	—	REBOOT	Medium
122	aivqueue-3.216	JMFPMX01	Ubuntu 22.04.5 LTS	18	4	—	REBOOT	Medium
9241	aivqueue3 (external 3.241)	external	Ubuntu 24.04.1 LTS	16	2	—	REBOOT	Medium
120	MySQL-Dev-Server-3.210	JMFPMX02	Ubuntu 24.04.4 LTS	11	2	—	REBOOT	Medium
132	aivtpcserver-3.217	JMFPMX04	Ubuntu 24.04.4 LTS	10	2	—	REBOOT	Medium
139	callcenter	JMFPMX03	Ubuntu 24.04.4 LTS	10	2	—	REBOOT	Medium
130	MariaDB-3.230	JMFPMX05	Ubuntu 22.04.5 LTS	9	—	—	REBOOT	Low
149	claude-automation	JMFPMX03	Ubuntu 24.04.4 LTS	4	4	linux-headers-generic linux-headers-virtual linux-image-virtual	KERNEL	Low
145	FreePBX-v17	JMFPMX03	Debian GNU/Linux 12 (bookworm)	2	2	—	—	Low

VMID	Hostname	Node	OS	Sec	High-Risk Pkgs	Flags	Status
121	aivscripttesting3.202	JMFPMX02	AlmaLinux 8.10 (Cerulean Leopard)	67	glibc glibc-all-langpacks glibc-common glibc-devel +21	KERNEL	84 pending
126	aivscript-3.240	JMFPMX04	CentOS Linux 7 (Core)	—	—	—	Current
114	FTP-Production	JMFPMX02	AlmaLinux 10.1 (Heliotrope Lion)	—	—	—	Unreachable

Linux Kernel CVE-2026-31431 Dirty Frag — local user → root. Mitigation if not patched: disable esp4, esp6, rxrpc modules.
Container Runtimes — Copy Fail — container escape vector. Affects containerd, docker.io/docker-ce, runc, cri-o after kernel CVEs.

Package managers themselves — apt, dnf, yum, dpkg, rpm. Patched before any other update.

Debian/Ubuntu: cat /var/run/reboot-required
RHEL/Fedora: dnf needs-restarting -r
For 0-day kernel CVEs, prefer live-patching: Canonical Livepatch / KernelCare / Oracle Ksplice to avoid downtime.

Cluster-wide enumeration via pvesh get /cluster/resources --type vm
OS detection via QEMU guest-agent get-osinfo (Windows VMs filtered out)
Patch counts for Debian/Ubuntu via guest-exec apt list --upgradable / pct exec for LXC
RHEL family scanned via direct SSH (guest-exec disabled by default policy)
15 of 19 Linux systems returned a numeric patch count this run
Generated automatically by /opt/jmfield-patch-audit/scripts/run-monthly.sh on JMFPMX04 monthly cron

Generated 2026-06-15T14:05:27Z — internal audit, not for redistribution. audit.json raw data alongside this page.