Canonical Livepatch in production — patching kernel CVEs without rebooting
May 14, 2026 · 1 min read · by Sudhanshu K.
Canonical Livepatch is one of the highest-leverage tools available to anyone running an Ubuntu fleet at scale. Kernel CVEs land routinely. The orthodox response is "schedule a reboot maintenance window." Livepatch lets you apply the patch in-place, in seconds, on a live kernel, without a reboot — which means you can be patched against today's CVE before the public exploit is widely deployed.
What it doesn't do is cover everything. Some patches can't be live-applied. The Pro subscription has a cost. Some teams need to consider the alternatives.
Enabling Livepatch
sudo pro attach <token>
sudo pro enable livepatch
sudo canonical-livepatch status
# Per-host check, suitable for monitoring
sudo canonical-livepatch status --format json | jq '.machine'Patches arrive automatically. The kernel patch table is updated in-memory. Existing processes continue running. You verify with canonical-livepatch status or by reading /proc/livepatches/.
The full write-up covers:
- What Livepatch can patch (most CVE classes) and what it can't (changes to core data structures)
- Ubuntu Pro economics — the free tier (5 hosts), the paid tier per-machine pricing
- Monitoring livepatch status across the fleet
- The 4-week effective lifetime of a livepatch — you still need to reboot eventually
- Alternatives: kpatch (RHEL/SUSE), kernel rebuild + reboot, container-only patching
- Coordinating Livepatch with kernel auto-upgrades from unattended-upgrades
We deploy Livepatch on every managed Ubuntu host that runs Ubuntu Pro.
Full article available
Read the full article