CME-1102

Live Kernel Patching (kpatch/livepatch)

Evict OS/Kernel High Confidence

Description

Applies critical kernel security fixes without system reboot, eliminating the patch-reboot delay that leaves systems vulnerable. Patches are applied to the running kernel in memory.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Temporal: kernel vulnerability patched immediately without reboot window

CWE Relationships

CWE-119

Verification

Check for active kernel live patches

$ kpatch list
# Expected: installed
Platform: rhel
$ canonical-livepatch status
# Expected: running
Platform: debian
← CME-1101: Automated Patch Management (dnf-automatic) CME-1103: Automated Container Image Rebuilds →