Back to Intelligence

LSN-120-1: Ubuntu Kernel Live Patch Security Advisory — CVE Analysis and Remediation Guide

SA
Security Arsenal Team
June 1, 2026
4 min read

Ubuntu has released Kernel Live Patch Security Notice LSN-120-1, addressing critical vulnerabilities in the Linux kernel that could impact your organization's infrastructure. These vulnerabilities potentially allow attackers to escalate privileges, cause denial of service, or access sensitive information. What makes this notice particularly important is that it leverages Ubuntu's Kernel Live Patch service, enabling you to secure your systems without the operational disruption of reboots—critical for production environments and high-availability systems.

Technical Analysis

The LSN-120-1 notice addresses multiple CVEs in the Ubuntu Linux kernel across supported releases. The Ubuntu Kernel Live Patch service provides a mechanism to apply critical security fixes to a running kernel without requiring a system restart, maintaining service availability while ensuring security posture.

Affected Platforms:

  • Ubuntu 20.04 LTS (Focal Fossa)
  • Ubuntu 22.04 LTS (Jammy Jellyfish)
  • Ubuntu 23.10 (Mantic Minotaur)

The vulnerabilities include multiple CVEs with varying CVSS scores, including issues that could lead to:

  • Privilege escalation
  • Denial of service
  • Information disclosure
  • Bypass of security restrictions

Exploitation Status: While specific active exploitation details vary by CVE, kernel vulnerabilities are attractive targets for attackers due to their broad impact and the potential for complete system compromise. Applying these patches promptly should be a priority, especially for internet-facing systems or those in sensitive environments.

Detection & Response

Since kernel vulnerabilities operate at the lowest level of the system, detecting exploitation attempts can be challenging. The primary focus should be on identifying vulnerable systems and verifying patch application status.

YAML
---
title: Ubuntu Kernel Module Load from Suspicious Directory
id: 4f8e2d1a-7c3b-4a5f-9e0d-2b1c3a4d5e6f
status: experimental
description: Detects potential kernel exploitation attempts via loading kernel modules from suspicious directories related to LSN-120-1
references:
  - https://ubuntu.com/security/notices/LSN-120-1
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.privilege_escalation
  - attack.t1547.006
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    Image|endswith:
      - '/usr/sbin/insmod'
      - '/usr/sbin/modprobe'
    CommandLine|contains:
      - '/tmp/'
      - '/dev/shm/'
      - '/var/tmp/'
  condition: selection
falsepositives:
  - Legitimate kernel module testing
level: high
---
title: Ubuntu Live Patch Status Check
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects Ubuntu Live Patch status checks that may indicate LSN-120-1 patch verification
references:
  - https://ubuntu.com/security/notices/LSN-120-1
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.defense_evasion
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    Image|endswith: '/snap/bin/canonical-livepatch'
    CommandLine|contains: 'status'
  condition: selection
falsepositives:
  - Routine Live Patch monitoring
level: low
---
title: Ubuntu Kernel Version Check
id: 9a4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8d
status: experimental
description: Detects kernel version checks on Ubuntu systems that may be related to LSN-120-1 vulnerability assessment
references:
  - https://ubuntu.com/security/notices/LSN-120-1
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.discovery
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    Image|endswith: '/usr/bin/uname'
    CommandLine|contains: '-r'
  timeframe: 1h
  condition: selection
falsepositives:
  - System administration activities
level: low
KQL — Microsoft Sentinel / Defender
// Detect Ubuntu systems checking kernel versions - potential LSN-120-1 monitoring
Syslog
| where SyslogMessage contains "uname" and SyslogMessage contains "-r"
| project TimeGenerated, Computer, SyslogMessage, ProcessName
| summarize Count() by Computer, bin(TimeGenerated, 1h)
// Check for Live Patch status checks
| union (
    Syslog
    | where SyslogMessage contains "livepatch" or SyslogMessage contains "canonical-livepatch"
    | project TimeGenerated, Computer, SyslogMessage, ProcessName
)
VQL — Velociraptor
-- Check for Ubuntu kernel version and live patch status
SELECT OS, Fqdn, KernelVersion, Uname
FROM info()
WHERE OS =~ "linux"
-- Check for live patch status
SELECT *
FROM execve(argv=["/snap/bin/canonical-livepatch", "status"])
-- Check for kernel modules loaded
SELECT Name, Size, UsedBy
FROM kernel_modules()
WHERE Name =~ "livepatch"
Bash / Shell
#!/bin/bash
# Ubuntu Kernel Live Patch Verification and Remediation Script
# Addresses LSN-120-1 vulnerabilities

echo "Checking Ubuntu Kernel Live Patch status..."

# Check if canonical-livepatch is installed
if ! command -v canonical-livepatch &> /dev/null; then
    echo "ERROR: canonical-livepatch is not installed"
    echo "Installing canonical-livepatch..."
    sudo snap install canonical-livepatch
    echo "Please configure your Live Patch token and run this script again"
    exit 1
fi

# Check Live Patch status
echo "Current Live Patch status:"
canonical-livepatch status

# Get current kernel version
echo "Current kernel version:"
uname -r

# Check for available patches
echo "Checking for available kernel live patches..."
canonical-livepatch refresh

# Verify patches are applied
echo "Verifying patch application..."
canonical-livepatch status --verbose

echo "Remediation complete. Please review the output above to confirm patches are applied."

Remediation

  1. Verify your Ubuntu version and kernel version using uname -r and lsb_release -a
  2. Ensure the canonical-livepatch service is installed: sudo snap install canonical-livepatch
  3. Configure your Live Patch token: sudo canonical-livepatch enable YOUR_TOKEN
  4. Refresh the Live Patch service: sudo canonical-livepatch refresh
  5. Verify patch application: sudo canonical-livepatch status
  6. For systems not using Live Patch, apply standard kernel updates: bash sudo apt update sudo apt upgrade sudo reboot

Official Advisory:

Timeline:

  • Priority: High
  • Recommended Action: Apply Live Patch immediately
  • For non-Live Patch environments: Schedule updates at next maintenance window

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionubuntukernellive-patch

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action