kpatch on RHEL — patching kernel CVEs without the reboot

Live kernel patching on RHEL via kpatch is real, vendor-supported, and one of the highest-leverage tools in the RHEL fleet manager's kit. Patches arrive within hours of a CVE disclosure. They apply to a running kernel in seconds. Existing processes keep running. No reboot, no maintenance window, no scheduling fight with the application owners.

This is the kpatch workflow we run on every managed RHEL host that subscribes to live patching.

Applying a kpatch

# Enable the kpatch repo (kernel-live)
subscription-manager repos --enable=rhel-10-for-x86_64-kernel-live-patching-rpms
yum install -y kpatch
 
# Subscribe to the running kernel's patch stream
kpatch-dnf manual /usr/bin/kpatch-dnf install
 
# Verify
kpatch list
kpatch info <patch-id>

After this, security errata for the running kernel arrive as kpatch modules and apply automatically. Your uname -r stays the same; the in-memory kernel is patched.

The full write-up covers:

• What kpatch can patch (most CVE classes) and what it can't (structural changes)
• The Red Hat support model — patches are tied to the running kernel ABI
• The 4-week kpatch lifetime — you still need to reboot to a new kernel eventually
• kpatch on a cluster — coordinating "everyone's patched" across the fleet
• Comparison with Ubuntu Livepatch (similar mechanism, different lifecycle)
• The patches we still hold for reboot (kernel data structure changes, major releases)

We deploy kpatch on every managed RHEL host with the subscription.