Livepatch is a valuable tool for fixing critical and high security kernel Common Vulnerabilities and Exposures, CVEs, at run-time, without the need for an immediate system reboot. However, it should not be used as a replacement for regular maintenance windows and rebooting. A good enterprise policy should include both livepatching and regular reboots to ensure the system remains stable and secure.
This is because some system CVEs, such as firmware or device driver updates, will still require a system reboot. Additionally, Livepatch does not include kernel updates for non-security bug fixes, lower-priority security fixes, and performance improvements.
Furthermore, there may be instances where critical kernel CVEs cannot be addressed through livepatching and will require a standard system update. Last but not the least, It is important to recognise that Livepatch is not a viable solution for upgrading to the next kernel release. To do so, a traditional system update is required…
