Rajan Patel
on 23 June 2026
Canonical Livepatch now officially supports Arm64, further expanding its security patching automation capabilities.
For the first time, Ubuntu on an Arm64 machine can apply critical kernel updates, without service interruption or rebooting. Starting with Ubuntu Core 26 for Arm64, and for Ubuntu Core 20 and onwards for AMD64 machines, a wider range of devices and cloud virtual machines can achieve timely vulnerability remediation through Canonical Livepatch. This enhancement will strengthen the security of systems that aren’t security maintained daily or weekly, and provides an operational advantage for organizations working towards Cyber Resilience Act (CRA) compliance.
Getting to this point was no small feat. In this article, we’ll be looking back at the significant technical hurdles that stood in the way just a few years ago, so we can fully appreciate the meaning of this milestone.
2023: the beginning
In late 2023, we conducted a comprehensive gap analysis to determine what it would take to bring live kernel patching to Arm64 processors. At the time, while Ubuntu provided Arm64 builds for nearly every released kernel, the ecosystem simply wasn’t ready to support live kernel patching on this architecture.
Live kernel patching requires the kernel to know exactly when it is safe to switch a running task to patched code. This relies heavily on reliable kernel stack traces (CONFIG_HAVE_RELIABLE_STACKTRACE). The upstream Arm64 kernel lacked a stable, fully accepted implementation for reliable kernel stack traces at the time. Furthermore, the toolchain required to compile and compare unpatched and patched kernels, including GCC, objdump, and Kpatch, lacked mature Arm64 support. While pull requests and patches existed (some dating back to 2021), they were still under intense discussion and not fully merged upstream.
2024–2026: the work really starts
With the proliferation of high-performance Arm processors in cloud environments and increase in complex edge devices, solving this puzzle became an industry-wide imperative. Turning that 2023 gap analysis into today’s reality required a monumental, coordinated effort between engineers at major OS publishers, hyperscalers, silicon vendors, and the broader open source community. Once the toolchain prerequisites, kernel consistency model for Arm64, and the implementation of reliable stack trace checks were finally merged upstream, the critical safety net required to swap code in a running kernel was officially in place.
In anticipation of these upstream developments, our engineers ensured that Livepatch server and client were capable of distributing and managing arm64 live kernel patches. Once we had the tooling from upstream to produce loadable, cumulative kernel modules for Arm64 processors, we began testing, and putting our kernel build infrastructure through its paces.
Behind the scenes, our infrastructure teams went to work. Building live kernel patches requires compiling two copies of the Linux kernel because we test patches cumulatively for many kernels, on many Ubuntu versions, and on many architectures, the testing process represents an enormous computational requirement over time. Engineers orchestrate build farms to compile live kernel patches on target architectures, using the same compiler as the kernel.
For performance and correctness, we do not use architecture emulation for building or testing live kernel patches. We expanded our build farms with dedicated Arm64 instances, boosting performance to handle the heavy computational load of native compilation across hundreds of rolling kernel patches. We also built entirely new, architecture-specific regression test suites to guarantee that an Arm64 livepatch would be as stable as our AMD64 patches. Finally, we overhauled our livepatch distribution network and clients, ensuring seamless, multi-architecture delivery. In late February the Arm64 Livepatch client for Ubuntu 26.04 LTS and Ubuntu Core 26 was applying live kernel patches in our test environments.
The present, and where we’re going next
Today, the culmination of all this live kernel patching work for Arm64 is available in Ubuntu 26.04 LTS and Ubuntu Core 26.
We have closed the technical gaps of recent years, replaced by a robust, scalable pipeline that delivers rebootless security patches directly to your Arm64 infrastructure. Whether you are managing a fleet of remote edge devices or scaling out Arm-based cloud servers, and your systems are not security patched and rebooted daily or weekly, then Canonical Livepatch serves as a key tool for maintaining a trusted and available fleet.
