TL;DR: The Slack message came in at 6:47 AM on a Tuesday. CVE-2024-1086 — a use-after-free in the netfilter subsystem that gives local users a path to root. 📖 Reading time: ~34 min What's in this article The Situation That Made Me Build a Real Patching Workflow Step 1: Know What You're Actually Running Before You Patch Anything Step 2: Scanning Your Fleet for Vulnerable Kernels Step 3: Live Patching Without a Reboot — What Actually Works Step 4: Unattended Upgrades — Set It Up Correctly or Don't Set It Up Step 5: Coordinating Reboots Across a Fleet Without Waking Up at 3am My Actual Patching Runbook (The Short Version) Kernel Mitigation Flags You Should Actually Know About The Situation That Made Me Build a Real Patching Workflow The Slack message came in at 6:47 AM on a Tuesday. CVE-2024-1086 — a use-after-free in the netfilter subsystem that gives local users a path to root. My servers were running kernel 6.1.x. None of them were patched.…