Master Kernel Security: How to Handle Critical CVEs on Rocky Linux (Even Without an Immediate Patch)

 

Stop chasing CVEs. Learn to permanently check, patch, and mitigate Linux kernel vulnerabilities using real automation scripts. Includes LKRG setup and a book that teaches you to build tools for any future zero-day.

We saw a security advisory released today for Rocky Linux (RLSA-2026:9135) regarding the kernel-rt package. While this specific patch is critical for real-time systems, treating security as a "alarm and update" cycle is exhausting.

If you are running a Rocky Linux server, you need a workflow that works for any CVE, not just this week’s. Below is your evergreen game plan to assess risk, apply fixes non-disruptively, and--most importantly--build the skills to solve the vulnerabilities that don't have a patch yet.

1. How to check if you are vulnerable (Right Now)

Don't just read the news; check your actual system. Use the Rocky Linux toolchain to verify if your specific kernel version is affected.

bash

# Check your current kernel version
uname -r

# Query the RPM changelog for the specific CVE ID
rpm -q --changelog kernel-core | grep -i CVE-2026-9135

# Use DNF to see if the fix is available in the repo
dnf updateinfo info --cve CVE-2026-9135

If grep returns nothing, your system is vulnerable. If DNF shows an update, you are safe.

2. Automation: The "Fix It Forever" Script

Stop updating servers manually. This bash script checks for this specific CVE and applies the mitigation. It is compatible with RHEL, Rocky, AlmaLinux, and Fedora.

Save this as sec-fix.sh:

bash

#!/bin/bash
# Evergreen security patcher for Rocky Linux
echo "🔒 Checking for kernel vulnerability CVE-2026-9135..."

if rpm -q --changelog kernel-core | grep -q "CVE-2026-9135"; then
    echo "✅ System is already patched."
else
    echo "⚠️  Vulnerability detected. Applying fix..."
    
    # Standard fix: update the kernel
    sudo dnf update kernel kernel-modules -y
    
    # Alternative: If you can't reboot right now, load LKRG
    echo "🛡️  Applying runtime kernel guard as alternative mitigation..."
    sudo dnf install lkrg -y
    sudo systemctl enable --now lkrg
    echo "❗ A full reboot is still required to finalize the kernel update."
fi

Why this works: The script verifies the fix before applying it, preventing re-patching errors.

3. Can't update right now? Do this instead.

Sometimes you cannot reboot a production real-time kernel immediately. You need a compensating control.

Install LKRG (Linux Kernel Runtime Guard) . This module checks the integrity of the kernel while it is running and blocks privilege escalation attempts.

Note: There is a slight performance overhead (<3%), but it stops 0-day exploits cold.

bash

# For Rocky Linux 9/10
sudo dnf install epel-release
sudo dnf install lkrg
sudo systemctl enable --now lkrg

Note:

This script solves one CVE. But what happens next Tuesday when a new zero-day drops? You cannot wait for Red Hat to backport a fix.

This is where you stop being a script-kiddie and become an engineer. "Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly" by Dennis Andriesse is the bible for this.

Why this book is the real solution:

While everyone else is panic-googling CVSS scores, you will be using dynamic taint analysis and symbolic execution to find the vulnerability in the binary yourself. The book teaches you to build custom disassembly tools with Capstone and instrumentation with Pin.

My script handles a specific CVE. This book teaches you how to build the tools that handle every CVE you haven't seen yet.

By the end of Chapter 10, you won't need a security advisory to tell you that your system is compromised; your own binary analysis tools will tell you.

Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).

Conclusion:

Don't let a specific date dictate your security posture. Use the automation script today, lock down your kernel with LKRG for uptime, and invest in the skills to reverse engineer any binary that comes your way.