diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json
index 798d89102ee72..af754b4c87927 100644
--- a/pkgs/os-specific/linux/kernel/hardened/patches.json
+++ b/pkgs/os-specific/linux/kernel/hardened/patches.json
@@ -22,41 +22,41 @@
     "5.10": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.10.134-hardened1.patch",
-            "sha256": "0d6ygrsssbww9aqy55q1zxq2b1y9lwnz0j8xfqpya3c3hll1951a",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.134-hardened1/linux-hardened-5.10.134-hardened1.patch"
+            "name": "linux-hardened-5.10.135-hardened1.patch",
+            "sha256": "05r6k83y2mpyx0ah9xjczmq2p3721jx911p1wxswwrv5rwia6x36",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.135-hardened1/linux-hardened-5.10.135-hardened1.patch"
         },
-        "sha256": "0s9j4zzck9880kvyb18i2ng6dc16p0dwsi95mkwdhg83vyn16dgc",
-        "version": "5.10.134"
+        "sha256": "0i1kahv739qpyyml7d7sx306nv7gp55i5d97vlb0fryfx4dsd6g4",
+        "version": "5.10.135"
     },
     "5.15": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.15.58-hardened1.patch",
-            "sha256": "1c2friimfzi5i0x76z66wdgkfafly1rhpy8zzs7li3s79d22138k",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.58-hardened1/linux-hardened-5.15.58-hardened1.patch"
+            "name": "linux-hardened-5.15.59-hardened1.patch",
+            "sha256": "08vw8f420nld6bs854m9z2w9kg6cbdav08j99fbivda5zlf8bm18",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.59-hardened1/linux-hardened-5.15.59-hardened1.patch"
         },
-        "sha256": "1a2gzjfymfafvk8cvibr1zdfydzxg0c5j772c9hqwcabkibxjnyp",
-        "version": "5.15.58"
+        "sha256": "1jxw6fnc7yaw7r6193wy6l8wdlpy3frw48drnc3dnh3k0m1cdpg6",
+        "version": "5.15.59"
     },
     "5.18": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.18.15-hardened1.patch",
-            "sha256": "0ir6k4d9mx4skyhxjin2hn237kl3qh6cl0kmjqkqyxkm83k12kln",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.18.15-hardened1/linux-hardened-5.18.15-hardened1.patch"
+            "name": "linux-hardened-5.18.16-hardened1.patch",
+            "sha256": "0f24p9m4wbmh99iwa2cf4d7q33qcpvazzn60ngm6mpa3vynm4lx3",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.18.16-hardened1/linux-hardened-5.18.16-hardened1.patch"
         },
-        "sha256": "0g5yvhq7rmkzvfl4w50l7bg56a20insvg4s4nvgnk2iqvkmlz039",
-        "version": "5.18.15"
+        "sha256": "1khi1npn8d8jimwdy8bf3r7l780mxdmvk5azdv419pk33qjqdxgi",
+        "version": "5.18.16"
     },
     "5.4": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.4.208-hardened1.patch",
-            "sha256": "0pknl9ac0qn8yig1hfm3hmlmvf5pxswymyilv0w3kcsacgg22xyi",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.208-hardened1/linux-hardened-5.4.208-hardened1.patch"
+            "name": "linux-hardened-5.4.209-hardened1.patch",
+            "sha256": "1s7fis20x9ahvm2d344hff31kjvnm76ykqn423vk9lsb8ivnsy93",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.209-hardened1/linux-hardened-5.4.209-hardened1.patch"
         },
-        "sha256": "0i0fxv04r6g5ha84chih5cqsy59cv67pjxp8zfrdk1qapwddyvgh",
-        "version": "5.4.208"
+        "sha256": "1kdnz99k7zspzaxqaxahbf6hncigy4cvjlb79jsy7a95qxxr31qf",
+        "version": "5.4.209"
     }
 }
diff --git a/pkgs/os-specific/linux/kernel/hardened/update.py b/pkgs/os-specific/linux/kernel/hardened/update.py
index d0f8c77c783f4..8b40088756e1e 100755
--- a/pkgs/os-specific/linux/kernel/hardened/update.py
+++ b/pkgs/os-specific/linux/kernel/hardened/update.py
@@ -1,5 +1,5 @@
 #! /usr/bin/env nix-shell
-#! nix-shell -i python -p "python38.withPackages (ps: [ps.PyGithub])" git gnupg
+#! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg
 
 # This is automatically called by ../update.sh.
 
@@ -201,7 +201,7 @@ def commit_patches(*, kernel_key: str, message: str) -> None:
             (callPackage {NIXPKGS_KERNEL_PATH / filename} {{}}).version
         """
         kernel_version_json = run(
-            "nix-instantiate", "--eval", "--json", "--expr", nix_version_expr,
+            "nix-instantiate", "--eval", "--system", "x86_64-linux", "--json", "--expr", nix_version_expr,
         ).stdout
         kernel_version = parse_version(json.loads(kernel_version_json))
         if kernel_version < MIN_KERNEL_VERSION:
diff --git a/pkgs/os-specific/linux/kernel/linux-4.19.nix b/pkgs/os-specific/linux/kernel/linux-4.19.nix
index afa8423d578b6..0981efb66a774 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.19.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.19.nix
@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "4.19.254";
+  version = "4.19.255";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1rd40wmdaymbly2zvf60mjqsflkd4n1y232qz0ixn1rfl28yz62i";
+    sha256 = "0hwa3g09cmllc2z01s2jqbczpznzdp3ldngx18k5c2ac7w394fbp";
   };
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.10.nix b/pkgs/os-specific/linux/kernel/linux-5.10.nix
index a7184b37f435f..a9fde05e0ca52 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.10.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.10.nix
@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.10.135";
+  version = "5.10.136";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "0i1kahv739qpyyml7d7sx306nv7gp55i5d97vlb0fryfx4dsd6g4";
+    sha256 = "0naiwihlj6aswnqwdz3xzmga98xpj5lf2iy9vxqzdng7b46rs28w";
   };
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.15.nix b/pkgs/os-specific/linux/kernel/linux-5.15.nix
index e6e3ca260ee23..636ec481748b2 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.15.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.15.nix
@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.15.59";
+  version = "5.15.60";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1jxw6fnc7yaw7r6193wy6l8wdlpy3frw48drnc3dnh3k0m1cdpg6";
+    sha256 = "0yi3bvqz4qn8nvgr910ic09zvpisafwi282j0y2gvbvgr7vlb59d";
   };
 } // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.18.nix b/pkgs/os-specific/linux/kernel/linux-5.18.nix
index edfdb859503f9..ebba401dd6714 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.18.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.18.nix
@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.18.16";
+  version = "5.18.17";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1khi1npn8d8jimwdy8bf3r7l780mxdmvk5azdv419pk33qjqdxgi";
+    sha256 = "0i7yms65b8kxjm92ahic0787vb9h7xblbwp1v6cq8zpns3ivv0ih";
   };
 } // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.19.nix b/pkgs/os-specific/linux/kernel/linux-5.19.nix
index 5c622c24a5764..79d106150b4b4 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.19.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.19.nix
@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.19";
+  version = "5.19.1";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1a05a3hw4w3k530mxhns96xw7hag743xw5w967yazqcykdbhq97z";
+    sha256 = "0mgak94i4z9s1kdyw211ks4si4ngaii71xdiin06pim2ds97pqpl";
   };
 } // (args.argsOverride or { }))
diff --git a/pkgs/os-specific/linux/kernel/linux-5.4.nix b/pkgs/os-specific/linux/kernel/linux-5.4.nix
index e727097c028db..3018d83840e33 100644
--- a/pkgs/os-specific/linux/kernel/linux-5.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix
@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.4.209";
+  version = "5.4.210";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1kdnz99k7zspzaxqaxahbf6hncigy4cvjlb79jsy7a95qxxr31qf";
+    sha256 = "13l8zh5balciqhi4k4328sznza30v8g871wxcqqka61cij3rc0wl";
   };
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
index 7ee37c5b261a9..898bd1d18ad13 100644
--- a/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-rt-5.4.nix
@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "5.4.193-rt74"; # updated by ./update-rt.sh
+  version = "5.4.209-rt77"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -14,14 +14,14 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
-    sha256 = "187jfk9hf52n5z9yv56vq1knp3kdcbyk5w5k98ziwcbdjm1x65hd";
+    sha256 = "1kdnz99k7zspzaxqaxahbf6hncigy4cvjlb79jsy7a95qxxr31qf";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "1gn4ii5pr0870ba481nqbd5rxk7ajrarv1p5mipfi42x07rpn7c2";
+      sha256 = "1wh5m7ychgnn33yg7gg9nlwcmmm72dixvdf77m764hs90xl8c9ig";
     };
   }; in [ rt-patch ] ++ kernelPatches;