What Happened
An improper access control vulnerability was discovered in the canonical-livepatch snap (prior to version v10.15.0, see CVE-2026-6369 for more details). This flaw allows a local, unprivileged user to obtain a sensitive, root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket.
This vulnerability is exploitable on systems where an administrator has already enabled the Livepatch client with a valid Ubuntu Pro subscription. This token allows an attacker to access Livepatch services using the victim’s credentials, as well as potentially cause issues to the Livepatch server.
Who Is Affected
This vulnerability affects systems where:
-
The canonical-livepatch snap client version is earlier than v10.15.0.
-
An administrator has previously enabled the Livepatch client with a valid Ubuntu Pro subscription.
-
The system has local unprivileged users who could exploit the vulnerability.
If the Livepatch client is installed but has never been enabled with a subscription, the exposure risk is minimal.
How to Secure Your System
The issue is fully mitigated by updating the canonical-livepatch snap to version v10.15.0 or later.
Recommended Action: Update the Snap
If the canonical-livepatch snap has been installed from the latest/stable channel and the automatic refresh feature of snapd is not put on hold, the snap will be automatically updated to the latest version by the snapd process, and no further action would be required.
To confirm that the canonical-livepatch snap has the version v10.15.0 or newer, run the command:
canonical-livepatch --version
If the version of the canonical-livepatch snap is below v10.15.0 (e.g. v10.14.0, v10.12.2 etc.), administrators should immediately update the snap on all affected systems by running the following command:
sudo snap refresh canonical-livepatch --channel latest/stable
This command will update the snap to the latest stable version, which includes the necessary security fix (version v10.15.0 or newer).
To benefit from all future updates and security fixes to the Livepatch client, it is recommended to always install the canonical-livepatch snap from the latest/stable channel and to not disable automatic snap refreshes for the canonical-livepatch snap.
Automatic snap refreshes are handled by the snapd process and can only be blocked by explicitly running snap refresh --hold.
To ensure that automatic updates of the canonical-livepatch snap package are not blocked, run the following command:
snap refresh --unhold canonical-livepatch
If you believe your token was compromised by a local unprivileged user, please contact Canonical Support.