How can I confirm for sure that a CVE has been mitigated on a RHEL system?

I have this problem, I'm trying to see if a group of servers are vulnerable to the CVE CVE-2024-1086 so what I do in the server is rpm -qa --changelog kernel | grep 2024-1086, and I get this as output: - netfilter: nf_tables: reject QUEUE/DROP verdict parameters (Florian Westphal) [RHEL-24009 2262126] {CVE-2024-1086}, which **I think** means that the cve has been mitigated in that system. However, the client says that their scan that they are using to check if the system is vulnerable is still showing that the server is vulnerable, do you know if with that output I can say that their scan is giving them a false positive or is there any other way to confirm for sure that the system is not vulnerable anymore to that CVE?