I used freebsd-update to binary upgrade an amd64 system running
14.1-RELEASE-p5 GENERIC to -p6. Doing so observably updated
/boot/kernel/ctl.ko, presumably fixing CVE-2024-45289 (the ctl
unbounded allocation problem).

However, I see that /boot/kernel/kernel itself did not change:
it is the same as /boot/kernel.old/kernel in both content and date
and thus contains the string 14.1-RELEASE-p5.

The system has been rebooted.

Despite the upgrade and reboot, and likely because 'kernel' itself is
unchanged, the nightly pkg audit test of the kernel still reports:

FreeBSD-kernel-14.1_5 is vulnerable:
FreeBSD -- Unbounded allocation in ctl(4) CAM Target Layer

So, my question is: Should the kernel have changed?

'freebsd-update IDS' says the SHA256 hash is wrong, but that's maybe to
be expected when comparing a built-from-scratch -p6 kernel with the -p5
kernel if freebsd-update figured it didn't need to be updated.

TIA,
-WBE