Canonical has closed one of the more visible gaps in its security story: Livepatch, the service that applies kernel fixes without rebooting the machine, now officially supports the Arm64 architecture. Until now this only worked on AMD64, so anyone running Arm-based servers or devices had to schedule maintenance windows and reboots every time a serious kernel flaw showed up. That changes.
What’s announced and where it works
Arm64 support arrives with Ubuntu 26.04 LTS and Ubuntu Core 26. On the AMD64 side, coverage stays as it was, from Ubuntu Core 20 onwards. The idea is straightforward: when a critical kernel vulnerability turns up, Livepatch applies the fix in place and the machine keeps running without dropping the service or losing in-memory state.
For an architecture like Arm64, common across edge device fleets, cloud servers, and hardware that isn’t updated every day, being able to plug a kernel hole without touching availability shifts the operational math.
Why it took so long to get here
Patching a running kernel is not trivial. The system has to stop threads at a safe point, check that none of them is executing code that’s about to change, and only then switch to the patched version. That requires reading the call stack reliably, which on Arm64 depended on having CONFIG_HAVE_RELIABLE_STACKTRACE and the kernel consistency model sorted out for that architecture.
Canonical dates the initial gap analysis to late 2023, with upstream work coordinated between 2024 and 2026 alongside other OS publishers, hyperscalers, and silicon vendors. The Arm64 Livepatch client for Ubuntu 26.04 LTS started running in test environments in late February 2026. Underneath it all, a mature toolchain (GCC, objdump, Kpatch) had to be able to produce these patches on Arm64.
How they built it under the hood
One detail worth knowing: no emulation. Canonical expanded its build farms with dedicated Arm64 instances to compile natively, and wrote regression test suites specific to the architecture. Every live patch means compiling two copies of the kernel for cumulative testing, so an Arm64 patch goes through the same verification already applied to AMD64 ones. The goal is matching stability on both sides, not a second-class port.
What this gives you
If you manage machines that aren’t patched daily or weekly, and in the Arm world that’s very common, this is the difference between applying a critical fix as soon as it ships and waiting for the next maintenance window with the vulnerability exposed in the meantime. Canonical also frames it around Cyber Resilience Act (CRA) compliance: keeping systems current on security no longer clashes with the need to avoid downtime.
Livepatch is part of Ubuntu Pro, which is free for personal use up to a number of machines. To review what else the subscription covers and the release lifecycle, see the Ubuntu page.
Source
Original Canonical announcement: Canonical announces live kernel patching for Arm64 (ubuntu.com/blog).