Is live kernel patch (kpatch) supported in Red Hat Enterprise Linux ?

Resolution

Live kernel patches (kpatches) avoid the need for a reboot when patching the kernel for select important and critical Common Vulnerabilities and Exposures (CVEs).

Scope and limitations of kpatch

• Starting with RHEL 8.1, RHEL 7.7; RHEL-7.6, and the kernel-3.10.0-957.35.1.el7 -- live kernel patches are available on the Red Hat Content Delivery Network(CDN) and can be installed via the yum command.

• There are no live patches released for RHEL 8.3, 7.8, RHEL 6 and RHEL 5.

• Live kernel patch is supported for customers who have an active subscription.

• Live kernel patches will be available for selected Important and Critical CVEs.

• Live kernel patches are cumulative. It means that when you get a new live kernel patch for the kernel, it will have all the fixes of the previous live kernel patch, along with the new fixes. You can safely upgrade the loaded live kernel patch to a newer version.

• Live kernel patches for CVEs that occur between minor kernel releases are available with standard subscriptions. Customers who purchase Extended Update Support (EUS) will be able to use live patching for the entire EUS support window: 2 years for EUS subscriptions and 4 years for Update Services for SAP Solutions Add-on. Each kernel errata stops receiving live kernel patches 6 months after the kernel errata was released. In order to continue to receive kpatch updates, customers will need to upgrade the kernel and reboot at least twice per year.

• Unloading a kpatch from the kernel is not supported. The workaround is to uninstall the kpatch, and to reboot.

Access and delivery of live kernel patches

• The live kernel patch capability is implemented as a kernel module (kmod) that is delivered as an RPM.

For more information, see:
- Applying patches with kernel live patching in RHEL 9
- Applying patches with kernel live patching in RHEL 8
- Applying patches with kernel live patching in RHEL 7