CVE-2026-6369
Improper Access Control in Ubuntu Livepatch Allows Root Token Theft
Publication date: 2026-04-20
Last updated on: 2026-04-20
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ubuntu | canonical-livepatch | to 10.15.0 (exc) |
| canonical | canonical-livepatch | to 10.15.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6369 is an improper access control vulnerability in the canonical-livepatch snap client versions prior to 10.15.0.
This flaw allows a local, unprivileged user to obtain a sensitive root-level authentication token by sending an unauthenticated request to the livepatchd.sock Unix domain socket.
The vulnerability is exploitable only on systems where the Livepatch client has been enabled by an administrator with a valid Ubuntu Pro subscription.
The stolen token enables an attacker to access Livepatch services using the victim’s credentials and potentially disrupt the Livepatch server.
How can this vulnerability impact me? :
If exploited, this vulnerability allows a local unprivileged user to obtain a root-level authentication token.
With this token, an attacker can access Livepatch services using the victim’s credentials.
The attacker could also potentially cause issues or disruptions to the Livepatch server.
This could lead to unauthorized access and interference with system patching services, which may affect system stability and security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect if your system is vulnerable, you should check the version of the canonical-livepatch snap client installed.
- Run the command `canonical-livepatch --version` to verify the installed version.
If the version is below 10.15.0, your system is vulnerable to this issue.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the canonical-livepatch snap client to version 10.15.0 or later.
- If installed from the latest/stable channel and automatic snap refreshes are enabled, the snap will update automatically.
- To update immediately, run `sudo snap refresh canonical-livepatch --channel latest/stable`.
- Ensure automatic updates are not blocked by running `snap refresh --unhold canonical-livepatch`.
If you suspect token compromise, contact Canonical Support for assistance.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a local unprivileged user to obtain a sensitive, root-level authentication token, which could lead to unauthorized access to Livepatch services using the victim's credentials. Such unauthorized access to sensitive authentication tokens may result in exposure or misuse of protected data or system functions.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the unauthorized access to sensitive authentication tokens could potentially lead to violations of these regulations if personal or protected health information is accessed or compromised as a result.
Mitigation involves updating the canonical-livepatch snap client to version 10.15.0 or later to prevent token compromise, which is critical to maintaining compliance with security requirements in such standards.