TL;DR: The thing that caught me off guard the first time I seriously tracked a kernel CVE was realizing I had no idea what "patched" actually meant. I'd see a CVE entry marked as resolved, open a terminal on my Ubuntu 22. 📖 Reading time: ~36 min What's in this article The Gap Between 'Kernel Patched' and 'Your Server Is Safe' How Distros Actually Handle Upstream Kernel Vulnerabilities Reading a Real Kernel CVE: CVE-2023-3269 (StackRot) as a Case Study Commands You Actually Need to Audit Your Exposure Live Patching: When It Helps and When It's a False Sense of Security Distro-by-Distro Reality Check: Patch Velocity vs. Stability Tradeoff What RHEL's 'Extended Kernel Stable' Model Actually Means for You Setting Up Automated Alerts So You're Not Reading NVD Manually The Gap Between 'Kernel Patched' and 'Your Server Is Safe' The thing that caught me off guard the first time I seriously tracked a kernel CVE was realizing I had no idea what "patched" actually meant.…