CVE-2026-31431. 100% Reliable Linux LPE — no race, no per-distro offsets, page-cache write that bypasses on-disk file-integrity tools and crosses containers. Found by Xint Code.
But by default the unattended-upgrades timer has a randomized trigger time (so that not all Debian machines in the world start hammering the mirrors at the same time). If you enable the auto reboot option in unattended-upgrades, your boxes will reboot at an unpredictable time. I prefer doing this at known times (middle of the night when I know nothing important is running/number of users is low).
Unattended-upgrades has a config option to auto reboot
True.
But by default the unattended-upgrades timer has a randomized trigger time (so that not all Debian machines in the world start hammering the mirrors at the same time). If you enable the auto reboot option in unattended-upgrades, your boxes will reboot at an unpredictable time. I prefer doing this at known times (middle of the night when I know nothing important is running/number of users is low).
You can set a time in the config file
Admittedly your cron job does the same thing but I like to have everything in one place
Every time I see people boasting about their uptime, I ask myself how old their kernel actually is.
I’ve set this auto reboot and never had to worry about patching my server.
Edit: yeah I know live patching is a thing, not worth the hassle for 99% of server workloads.