Canonical Ships Ubuntu Core 26 with 15 Years of Security Maintenance
Canonical released Ubuntu Core 26, a minimal immutable OS for IoT and edge devices, with up to 15 years of security maintenance.
Canonical has released Ubuntu Core 26, the latest long-term supported version of its minimal, immutable operating system designed for IoT and edge devices. The new release offers security maintenance lasting up to 15 years, targeting operators of industrial sensors, edge AI controllers, and connected medical equipment that require long-term patch support. The release also aims to help customers comply with the European Union's Cyber Resilience Act (CRA) and support attested edge AI workloads.
Ubuntu Core 26 introduces an improved snap-delta format that reduces update sizes by 50% to 90% for most snaps. Updates to the Core base snaps now weigh only 1.5MB, down from 16MB, and initramfs-based installations skip redundant reboots by default, shortening device provisioning time. Renesas collaborated with Canonical to integrate Core with its RZ family of microprocessor units, delivering accelerated boot times and a reduced base image footprint for resource-constrained hardware running AI workloads.
The headline engineering change is a new build system based on Chisel, Canonical's tool for assembling filesystems from release-specific package slice definitions. Every file in a Core 26 image can be traced to its originating slice and source package, improving the accuracy of integrity checks and vulnerability triage. This approach differs from Yocto builds, where provenance and dependency closure sit implicitly inside layered recipes and post-processing scripts. The new build path also trims base image size by 7%.
Full disk encryption sees foundational changes in this release. TPM-sealed keys are now stored directly within the LUKS2 header, reducing the risk of key reuse across device states. Native OP-TEE integration brings ARM TrustZone hardware-rooted key protection to embedded deployments, sealing and unsealing disk encryption keys through the Trusted Execution Environment and limiting key exposure to the normal operating system.
Canonical assumes Manufacturer responsibilities under the Cyber Resilience Act for the operating system's release cycle, covering security maintenance for core modules, continuous CVE monitoring, coordinated disclosure, and compliance with IEC 62443-4-1. Livepatch, Canonical's rebootless kernel patching service, now covers ARM64 starting with Ubuntu Core 26 and is officially supported on AMD64 across all releases from Ubuntu Core 20 onwards. This expansion extends zero-downtime kernel updates to a wider range of devices, addressing one of the CRA's vulnerability-remediation requirements.
Ubuntu Frame, the Core display server for embedded graphical applications, now supports multiple graphical applications on a single display, with configurable layouts, custom client placement, and a new accessibility launcher. A gpu-2604 interface brings graphics acceleration to Core 26 applications through a Snapcraft extension. Devices can stream logs and metrics to the Canonical Observability Stack, which runs on Juju and Kubernetes with Grafana, Loki, and Prometheus deployed in the cloud or on-premises.
Jon Seager, VP of Ubuntu Engineering at Canonical, said the Core security model of strictly confined components, transactional updates, and independent verifiability is reflected in emerging industry standards ten years after the platform first appeared. With Ubuntu Core 26, Canonical continues to strengthen its position in the IoT and edge computing market, offering a secure, long-term supported OS that meets regulatory requirements and the demands of modern AI workloads.