CVE Chapter

What is a Security Patch and How to Apply It

Jul 3, 2026 · 10 min read · Beginner

What is a Security Patch?

A security patch is a targeted software update that fixes one or more security vulnerabilities without delivering new functionality. It modifies executable files, libraries, configuration, or firmware to eliminate or reduce the exploitability of a known weakness.

Patches are released by software vendors in response to:

From the vendor's side, a patch usually involves changing source code to add input validation, fix memory handling, enforce proper access controls, or disable an unsafe feature, then compiling, signing, and distributing the update through official channels.

Types of Patches

Patch TypeDescriptionExample
Security PatchFixes a security vulnerability specificallyApache httpd 2.4.59 fixing CVE-2024-27316
HotfixEmergency patch for an actively exploited critical vuln, released outside normal cycleMicrosoft out-of-band patch for a Defender zero-day
Bug FixFixes non-security defectsMemory leak fix in database driver
Feature UpdateAdds new functionality; may include security improvementsMajor OS version update
Firmware UpdatePatches hardware-level code (BIOS, UEFI, NIC firmware)Intel microcode update for Spectre
Configuration HardeningNot code — changes default settings to more secure valuesDisabling TLS 1.0/1.1 via config

Patch Tuesday

Patch Tuesday is the second Tuesday of each month, when Microsoft releases its batch of security updates. This predictable schedule lets IT teams plan maintenance windows around a known release date. Adobe, Intel, and SAP also align many releases to Patch Tuesday. Other vendors like Red Hat, Ubuntu, and Cisco have their own release schedules.

Why Patching Matters

The overwhelming majority of successful cyberattacks exploit known vulnerabilities — ones that already have patches available. A landmark Verizon Data Breach Investigations Report finding: over 80% of successful breaches exploited vulnerabilities for which patches had been available for more than a year.

Notable examples where slow patching led to catastrophe:

Key insight: Patching is not about preventing zero-day attacks. It is about closing the window of opportunity after a patch is released — the period when attackers know the vulnerability exists but defenders have not yet fixed it.

Patching SLAs: How Fast Should You Patch?

Most security frameworks define patching timeframes based on CVSS severity. These are common benchmarks:

CVSS SeverityScore RangeCISA MandateCommon Enterprise SLA
Critical9.0 – 10.015 days7–15 days
High7.0 – 8.930 days30 days
Medium4.0 – 6.960–90 days
Low0.1 – 3.9Next maintenance cycle
CISA KEV ListedAnyPer KEV deadline (often 2 weeks)Immediate

If a vulnerability appears on the CISA Known Exploited Vulnerabilities (KEV) catalog, it means it is being actively exploited in the wild. Federal agencies are required by law to patch these within the specified deadline. Private organisations should treat KEV entries as highest priority regardless of CVSS score.

How to Apply Patches on Linux

The exact commands vary by Linux distribution, but the process is the same: update the package list, then install available updates.

Ubuntu / Debian

# Update package index
sudo apt update

# View available security updates
apt list --upgradable 2>/dev/null | grep -i security

# Apply all updates (including security)
sudo apt upgrade -y

# Apply security updates only (requires unattended-upgrades)
sudo unattended-upgrade --dry-run  # preview
sudo unattended-upgrade            # apply

RHEL / CentOS / Rocky Linux (dnf/yum)

# List available security updates
sudo dnf check-update --security

# Apply security updates only
sudo dnf update --security -y

# Apply all updates
sudo dnf update -y

Check If Reboot Is Required

# Ubuntu/Debian
ls /var/run/reboot-required 2>/dev/null && echo "Reboot required"

# RHEL/CentOS
sudo needs-restarting -r
Important: Kernel patches and libc updates require a reboot to take effect. Services like Apache or SSH can often be restarted without a full reboot after shared library patches. Use needs-restarting on RHEL or checkrestart on Debian to identify which services need restarting.

Automated Security Patching on Linux

For servers, consider enabling unattended security updates to reduce the window between patch release and application:

# Ubuntu: install and enable
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

# Configuration file
cat /etc/apt/apt.conf.d/50unattended-upgrades
# Ensure "${distro_id}:${distro_codename}-security" is uncommented

How to Apply Patches on Windows Server

Via Windows Update (GUI)

1
Open Settings → Windows Update
Or search "Windows Update" in the Start menu.
2
Click "Check for updates"
Windows will download and list available updates, flagging security updates separately.
3
Install all updates
Do not defer security updates. Click "Download and install" for Critical and Security updates immediately.
4
Reboot if prompted
Many Windows patches require a restart. Schedule during a maintenance window.

Via PowerShell (Recommended for Servers)

# Install PSWindowsUpdate module if not present
Install-Module -Name PSWindowsUpdate -Force

# List available security updates
Get-WindowsUpdate -Category "Security Updates"

# Install all security updates
Install-WindowsUpdate -Category "Security Updates" -AcceptAll -AutoReboot

Enterprise: WSUS and SCCM

For large environments, use Windows Server Update Services (WSUS) to centralise patch approval and deployment, or Microsoft Endpoint Configuration Manager (SCCM/MECM) for full lifecycle management including testing, approval workflows, and compliance reporting.

Patching Containers and Cloud Services

Containers and cloud-managed services require a different patching approach.

Container Images

Container images are immutable — you do not patch a running container. Instead:

  1. Rebuild the base image from a patched base (e.g., FROM ubuntu:24.04 after Ubuntu releases security updates)
  2. Run your CI/CD pipeline to test the new image
  3. Deploy the new image, replacing the old containers

Use tools like Trivy, Grype, or Snyk Container to scan images for vulnerabilities before deployment.

Cloud Managed Services

Cloud-managed databases (RDS, Cloud SQL), load balancers, and serverless functions are patched by the cloud provider automatically. Your responsibility is to check the provider's security bulletins and update configuration when required (e.g., moving to a newer engine version when an old version reaches end of life).

Patch Management Best Practices

Frequently Asked Questions

What is a security patch?
A security patch is a software update that fixes one or more security vulnerabilities. It modifies executable code, configuration files, or libraries to eliminate or mitigate the vulnerability without requiring a full software version upgrade.
How quickly should I apply security patches?
CISA recommends patching critical (CVSS 9.0+) vulnerabilities within 15 days and high (7.0–8.9) within 30 days. Vulnerabilities on the CISA Known Exploited Vulnerabilities list should be patched within the mandated deadline, often 2 weeks.
What is Patch Tuesday?
Patch Tuesday is the second Tuesday of every month, when Microsoft releases its monthly batch of security updates for Windows, Office, and other Microsoft products. Other vendors like Adobe and Intel also align releases to Patch Tuesday.
What is a hotfix vs a patch?
A hotfix is an emergency patch released outside the normal release cycle to fix a critical, actively-exploited vulnerability. A regular patch is released on a scheduled cycle. Both fix security issues; the difference is urgency and release process.
Do I need to reboot after every patch?
Not always. Application patches often require only a service restart. OS kernel patches and core library (libc, OpenSSL) patches typically require a full reboot for the fix to take effect. On Linux, tools like needs-restarting or checkrestart will tell you what needs to be restarted.