Detect exposure (non-destructive)

These commands help inventory kernels and exposed subsystems. They do not validate exploitability and must not be interpreted as penetration testing guidance.

Kernel lineage

uname -r
uname -rv

Compare the running release against your vendor's fixed-version tables (Ubuntu, Debian, Red Hat). Remember reboot requirements after installing a remediated kernel.

Installed kernel packages

Examples - adapt to your package manager:

# Debian / Ubuntu (APT)
dpkg-query -W -f='${binary:Package}	${Version}
' linux-image-* | sort

# RHEL family (DNF)
dnf list installed kernel*

Loaded networking modules

lsmod | grep -E '^(esp4|esp6|xfrm|rxrpc)[[:space:]]' || true

Presence indicates those subsystems are active; absence does not alone prove patching status. Root cause remediation is always the vendor kernel build named in security advisories.

Containers and Kubernetes nodes

Inspect the host kernel on each worker; pod images can be current while the node kernel remains vulnerable. Tie results back to fleet patch tickets.