DEV Community

Aiden Bolin
Aiden Bolin

Posted on

How to check which Linux CVEs actually affect your servers in 30 seconds (and which are being exploited right now)

#linux #security #opensource #devops

If you run a couple of Linux boxes for a side project or a small SaaS, you've probably had this moment: a CVE hits the news, your monitoring tool spits out 400 "high severity" findings, and you have no idea which ones actually matter. CVSS says everything is a 7.8. You patch nothing, or you patch everything and pray nothing breaks.

The honest truth is that most CVEs on your box will never be exploited. The number you actually care about is small. Here's how to find it fast.

One command, no signup 

curl -fsSL https://mindsparkstack.com/scan.sh | bash
Enter fullscreen mode Exit fullscreen mode

It's read-only and anonymous. Nothing is stored server-side, and you can read the script before you run it (you should always read anything you pipe to bash). It reads your distro, kernel version, and dpkg/apk/rpm package list, matches them against the vendor advisories — Ubuntu USN, Debian DSA, Alpine, RHEL — cross-referenced with NVD, and prints back the few CVEs that actually apply to your installed versions. It supports Ubuntu, Debian, Alpine, AlmaLinux, and Rocky.

But matching CVEs to packages is the easy half. The useful half is ranking.

KEV vs EPSS: the two numbers that matter more than CVSS

CVSS scores severity if a vulnerability is exploited. It says nothing about whether anyone is actually exploiting it. Two free, authoritative data sources fix that:

CISA KEV (Known Exploited Vulnerabilities). This is a catalog the U.S. government maintains of CVEs that are being exploited in the wild, right now. If a CVE is on the KEV list, it's not theoretical — someone has a working exploit and is using it. This is your drop-everything signal.

FIRST EPSS (Exploit Prediction Scoring System). A daily-updated probability (0 to 1) that a given CVE will be exploited in the next 30 days. A CVE with EPSS 0.94 is far more urgent than one at 0.002, even if both are "CVSS 7.8."

So the priority order isn't "highest CVSS first." It's:

  1. On CISA KEV → actively exploited → patch today
  2. High EPSS → likely to be exploited soon → patch this week
  3. Everything else → real, but not on fire → schedule it

The scanner sorts findings exploited-first and flags the KEV ones as actively exploited, so the thing at the top of the list is genuinely the thing you should do next.

What the output looks like

Instead of a wall of CVSS scores, you get a ranked, decision-first list with the exact remediation command for each finding:

Illustrative output below — the CVE IDs, package versions, and EPSS scores are placeholders to show the shape of the result, not a real scan. Run the command above to see your own box's actual findings.

[ACTIVELY EXPLOITED]  CVE-XXXX-XXXXX  openssl 3.0.2  (CISA KEV, EPSS 0.91)
  → sudo apt install --only-upgrade openssl

[HIGH RISK]           CVE-XXXX-XXXXX  curl 7.81.0    (EPSS 0.62)
  → sudo apt install --only-upgrade curl

[PATCH WHEN ABLE]     CVE-XXXX-XXXXX  nginx 1.18.0   (EPSS 0.01)
  → sudo apt install --only-upgrade nginx
Enter fullscreen mode Exit fullscreen mode

The point: you don't get a research project. You get a short list and the exact one-liner to fix each item. Triage is already done.

Does it actually work? We dogfood it.

When CVE-2026-31431 dropped — "Copy Fail," a local privilege-escalation bug in the Linux kernel's algif_aead module — we ran this same flow on our own production VPS and had it mitigated in about 30 minutes. The scan also surfaced several other real outstanding CVEs on that box that we then worked through.

We keep the audit log for that machine public: mindsparkstack.com/patch/audit/mss-vps. Timestamped actions, what was found, what was fixed. It's there partly to prove the tool isn't vaporware and partly because an audit trail you can hand someone is genuinely useful.

Where this sits in the ecosystem

To be fair about the alternatives:

  • Vuls / Trivy / Grype are excellent open-source scanners. If you enjoy self-hosting the scanner, building the triage layer, and writing your own remediation playbooks, use them — they're powerful and free.
  • Snyk / Tenable / Wiz are the enterprise tier. They're great and they will not sell to a 1-to-3-person shop at a price that makes sense.

The gap in the middle is "I have 3 servers, I don't want a wall of scores, just tell me which few CVEs are on fire and the command to run." That's the niche. The free scan above fills most of it with zero commitment.

The one-line aside

If you want that scan running hourly with real-time alerts and your own audit-log URL instead of running it by hand, there's a managed tier (free for 3 servers; paid plans from $9/mo, 14-day trial, no card) at mindsparkstack.com/patch — but honestly, run the free command first and see if the ranked output is useful to you at all. That's the part that matters.

Top comments (0)