How to check if your PC is affected in under 5 minutes
Every couple of months, a new Linux vulnerability appears in the news and a CVE number begins to circulate. If you use Linux, the reaction is predictable: “Am I vulnerable? Before assuming the worst, take five minutes and check if your PC is affected.
Most Linux CVE headlines sound scarier than they are, but that doesn’t automatically mean your system is exposed. Patches for Linux distributions often provide updates quickly (sometimes before most people even notice the vulnerability exists). Here’s how to check if your system is vulnerable or contains vulnerable packages:
What is a CVE?
Understand what the identifier actually represents
A CVE number looks like this:
CVE-2026-12345
It is simply an identifier that points to a specific documented vulnerability. This doesn’t automatically mean your distribution is affected or that you need to reinstall anything (in most cases). The key detail that many people forget is that upstream project notices and distribution notices are not the same thing.
If you’re new to Linux and don’t know the jargon, here’s what it means: When the Linux kernel team announces a vulnerability, it affects the upstream kernel source. Your distribution may have already fixed the problem in its packaged versions, sometimes without drastically changing the visible version string. This process is called backporting and it is essential to how stable distributions maintain security without breaking compatibility. So the first thing to do is to check your distribution’s security tracker, not just a generic CVE database.
Stop! These 4 Linux Distros Aren’t As Safe As You Think For Beginners
If you’re new to Linux, you might accidentally ruin your experience if you try to install one of these Linux distributions.
Check a CVE on Debian
Use the Debian Security Tracker
Security patches are not only distributed, but version specific. Before checking the CVE, confirm the build and version of your distribution.
lsb_release -a
Debian maintains a clear and extremely useful public safety tracker. Go to security-tracker.debian.org and enter the CVE ID. The tracking page will show you the affected source package and the status of each supported Debian version.
For example, if you search CVE-2026–27586the tracker shows the Caddy package which is a lightweight web server also vulnerable on Bookworm, Trixie and Sid, without a patched Debian package yet. This tells you that the problem exists in the packaged version currently shipped by the distribution.
If a tracker entry doesn’t mention your release at all, then you are not vulnerable. If it says patched, the page lists the version of the Debian package the patch was applied to. This version number is what you compare with the package installed on your system.
Check the version of the installed package
To check the locally installed version, run:
apt policy caddy
The output displays the version currently installed on your system and the version candidate available in your configured repositories. Compare it with the installed version with the patched version listed in the Debian tracker.
If your installed version is the same as the patched version or newer, the vulnerability has already been patched on your system, but if your version is older, update the system to have the patched package installed. If the tracker still lists the issue as vulnerable or unresolved, that means Debian maintainers haven’t delivered a fixed package yet, so you should wait for an update.
You can technically roll back to safer versions, but this may cause compatibility issues.
Check a CVE on Ubuntu
Use Ubuntu CVE Security Pages
Ubuntu publishes CVE information at ubuntu.com/security/cves. Enter the CVE number in the search box to open the advisory page.
The page includes a description of the vulnerability and a table showing the status of the affected package in different versions of Ubuntu.
Each version is listed separately with a different status. For example, the CVE page for CVE-2026-27586 displays the status Needs assessment for Ubuntu 25.10 and Ubuntu 24.04 LTS, while Ubuntu 22.04 LTS shows Not in version. This means that the package is not present in this version. If a version appears, Needs assessment, The Ubuntu security team is still determining if the packaged version is affected. If it shows Fixed, The page lists the version of the package on which the fix was applied.
Beginner’s Guide to Basic Ubuntu System Security
You can strengthen the security of your Ubuntu system quickly and easily by following this guide!
Compare with your installed package
Once you note the patched version, check your installed package. The command is the same as Debian:
apt policy caddy
If your system shows the patched version or a newer version, you are safe. Otherwise, update the system like in Debian. Ubuntu often offers unattended upgrades, which means security patches may already have been installed automatically.
Checking RHEL CVEs
Using the Red Hat Security Tips System
RHEL is a proprietary distribution that provides a large ecosystem of enterprise services, making it somewhat different from most community distributions (except for offerings like Ubuntu Pro or SUSE).
To check if your RHEL system is affected, you have several options:
Look for the CVE number on the Red Hat CVE security page. This page lists CVEs affecting Red Hat. To check for vulnerabilities in RHEL packages only, you must enable the option CVE affecting Red Hat software option.
You can also register and use Red Hat CVE Checker, which provides additional details. RHEL also publishes security advisories, which provide vendor-specific updates and actionable fixes for vulnerabilities.
Check the version of the installed package
To check what is installed on your RHEL system (you can also do the same for Fedora):
dnf info caddy
Compare the installed version to the patched version listed in the advisory and upgrade if a patched version is available.
Checking the running kernel
Confirm which kernel version is active
If the CVE specifically targets the Linux kernel, always check which kernel you are running.
uname -r
Kernel CVEs are also publicly announced by kernel maintainers via the Linux CVE mailing list. These announcements are archived at lore.kernel.org/linux-cve-announce.
You can search for the CVE ID directly on this page. The archive will show the original announcement email, which typically includes a description of the vulnerability, the affected subsystem, and the kernel versions in which the issue was fixed.
For example, searching for a CVE like CVE-2025-71237 will show the announcement from the kernel team describing the issue, the commits that fixed it, and the kernel versions where the fix was applied.
Check if a patched kernel is available
On Debian or Ubuntu:
apt list --upgradable | grep linux
On RHEL:
dnf check-update | grep kernel
If a new kernel is installed but still reports an old version, reboot. Kernel vulnerabilities often make the most alarming headlines, but they are also among the easiest to fix in most cases.
You probably don’t need to compile a Linux kernel anymore
It’s not the 90s anymore.
Putting Linux CVE Reports in Practical Context
Not all CVEs have the same practical impact. For example, a remote code execution vulnerability in a service exposed to the public Internet merits immediate attention, while a local escalation of privilege that requires shell access on a single-user desktop is generally less urgent.
Before you panic, consider some basic questions, such as: is the affected package actually installed on your system, is the service enabled, and is it exposed to untrusted networks? If the vulnerable component is not installed, not working, or not accessible from outside the system, the practical risk may already be much lower.
If you’re running a supported version of a major distribution, the security team actively fixes vulnerabilities, but if you’re running an unsupported version, there is no official security maintenance. This is where the risk increases significantly and CVE checking doesn’t really help much. If you repeatedly worry about vulnerabilities, confirm that your version is still receiving updates.
