Ubuntu 26.04 LTS Livepatch Brings Zero-Downtime Kernel Patching to Arm64

Canonical announced today that its Canonical Livepatch zero-downtime kernel hot-patching technology now supports the Arm64 architecture. For the first time, Ubuntu systems running on Arm64 processors can apply critical kernel security updates without interrupting services or requiring a reboot — a significant milestone for the rapidly expanding Arm server and edge computing ecosystem.

Livepatch allows system administrators to load specific security patches into a running Linux kernel while the system remains fully operational. This capability is especially valuable for servers, cloud instances, industrial systems, and remote edge devices — environments where scheduled downtime is either impractical or carries significant operational risk. By eliminating the need for emergency reboots, Livepatch dramatically improves security response times and reduces maintenance overhead.

According to Canonical, the feature is already available on Ubuntu Core 26 for Arm64 platforms. On the x86 side, AMD64 devices have been supported since Ubuntu Core 20. Devices running Ubuntu 26.04 LTS on Arm64 can also enable the service.

Extending Livepatch to Arm64 was no small feat. When Canonical conducted a gap analysis in late 2023, the upstream Arm64 kernel lacked a reliable kernel stack trace implementation, and toolchain support — including GCC, objdump, and Kpatch — was immature on the architecture. Overcoming these barriers required coordinated effort across major operating system vendors, large cloud providers, chip suppliers, and the open-source community. Canonical’s engineering team also expanded its build cluster with dedicated Arm64 instances to handle the substantial computational load of native compilation.

Canonical Livepatch targets kernel vulnerabilities rated “Critical” and “High” on the CVSS scale, particularly those with privilege escalation or remote code execution impact. It is important to note, however, that Livepatch does not replace regular system updates. Userspace components — such as OpenSSL and glibc — must still be updated through standard mechanisms. Likewise, Livepatch is not a permanent substitute for rebooting; it primarily eliminates the need for emergency restarts outside planned maintenance windows. Adopting a fully new kernel version still requires periodic reboots.

The service is designed for organizations running Ubuntu on Arm64 servers, cloud virtual machines, and remote devices, rather than for individual desktop users. Canonical Livepatch is included with an Ubuntu Pro subscription, offering up to 10 years of Livepatch coverage, with an additional 5 years available through the Ubuntu Pro Legacy add-on. Individual users and those evaluating the service can use it free of charge on up to five machines. The service also helps enterprises better meet compliance requirements under frameworks such as the EU Cyber Resilience Act.