Until now, Kernel Security Checker answered a single question: how well hardened is my kernel? It analyzed the configuration (kconfig, sysctl, cmdline) and showed which options are worth enabling.

But that doesn’t tell the whole story. A well-configured kernel on an old version can still have holes with a long-public exploit floating around. So there’s now a second section: Vulnerabilities.

What the new CVE tab does

You enter your kernel version (what uname -r returns) and the tool lists known public exploits matched to that version. For each hit you get:

  • the CVE number with a link to NVD,
  • a short name (e.g. double-free in nf_tables),
  • links to the analysis, exploit code, and the Exploit-DB entry, where available.

So instead of “how do I harden myself”, it answers “what is already publicly broken for my version”.

How to use it

Check your kernel version:

uname -r

You’ll get something like 5.15.0-91-generic or 6.6.8. Paste it into the CVE tab in Kernel Security Checker and hit check.

For 5.15.0-91-generic, for example, the tool will surface CopyFail (CVE-2026-31431), the nf_tables double-free (CVE-2024-1086), OverlayFS suid smuggle (CVE-2023-0386) and several more, newest first.

Important: this matches by version, it is not a scan

One thing to keep in mind. The tool compares the version number against a database of known vulnerabilities. It does not check whether the patch is actually present in your kernel.

Distributions backport security fixes without bumping the version number. Ubuntu or RHEL may run a kernel with a two-year-old version string but hundreds of patched CVEs. Therefore:

  • a hit = “a public exploit exists for this base version”; a signal to check whether your distro already shipped the patch,
  • no hits = not a guarantee of safety, just no known entries in the database.

Treat it as a quick risk indicator, not a verdict. For a hard assessment you still need to check your distro’s kernel changelog or the specific package’s CVE list.

More on vulnerabilities from the database: CopyFail: 9 Years of Hidden Privilege Escalation | Dirty COW, Dirty Pipe, CopyFail: Three Ways to Root

Full configuration analysis: Kernel Security Checker