The Ubuntu 26.04 LTS Release Candidate (RC) was published on April 16, 2026. The final release is confirmed for April 23, 2026. No major feature changes are expected from RC to final; this is primarily a stability and polish phase.
Introduction: The Most Ambitious Security Update in a Decade
Ubuntu has one of the most reliable release cycles in the Linux world. On April 23, 2026, Ubuntu 26.04 LTS (codename: Resolute Raccoon) arrives — and what’s inside is arguably the most ambitious security update of the past ten years.
This article covers everything confirmed in the April 16, 2026 Release Candidate.
- Linux 7.0 + GNOME 50: Kernel and desktop both advance a generation simultaneously (confirmed in beta)
- Rust migration begins in earnest: sudo and core utilities gradually replaced with memory-safe implementations, reducing vulnerability risk
- X11 removed, TPM encryption, post-quantum crypto: Security is being redesigned at the OS architecture level
1. Going Rust: Memory Safety at the Foundation
The biggest technical story in this release is the serious adoption of Rust in core system components.
Rust is a programming language developed by Mozilla (first released 2015). Its defining feature is memory safety — it prevents the memory-related bugs common in C/C++ (buffer overflows, dangling pointers, etc.) at compile time, without sacrificing performance. Adoption in security-critical system software has accelerated rapidly.
sudo-rs: Rewriting the Keys to the Kingdom
The sudo command — the most privileged command on the system — is being replaced by sudo-rs, rewritten in Rust. ✅ Already shipped in Ubuntu 25.10; confirmed as the default in 26.04. A behavioral change: password input now shows * characters rather than nothing.
This eliminates the buffer overflow and other C-language vulnerabilities that have plagued sudo for decades. Past sudo CVEs like CVE-2021-3156 (“Baron Samedit”) would have been compile-time errors in Rust.
For embedded systems engineers: the concept of privilege separation is a constant design concern in RTOS environments as well. As memory-safe tools become the standard in general-purpose OSes, safer design patterns will propagate across the industry.
Core Utilities Rewritten in Rust: Safer ls, cp, mv
The GNU Coreutils — ls, cp, mv, and everything else engineers use every day — are being gradually replaced by uutils/coreutils v0.7.0 (a Rust implementation). 🧪 This is a staged rollout; GNU compatibility is approximately 88% at this point. A GNU coreutils fallback remains available. Full compatibility is targeted for future versions.
Traditional C implementations have 40+ years of stability — but also 40+ years of potentially undiscovered vulnerabilities. The migration to Rust brings compile-time safety checks that protect the next 40 years.
2. X11 Is Gone: GNOME 50 and Wayland-Only
GNOME 50, shipping with Ubuntu 26.04, ends an era.
X11 Completely Removed
The legacy X11 (X Window System), whose first version dates to 1984, has been completely removed from GNOME’s core components. X11’s fundamental architecture allows any application to access any other window on the screen — meaning keyloggers and screen capture tools are trivially easy to implement. This is incompatible with modern security requirements.
Wayland-Only: Enforced Security Boundaries
Wayland, the next-generation display server protocol, has been in development since 2008 with security and performance as design priorities.
Wayland is the system that manages what appears on your Linux desktop. Unlike X11 (designed in 1984, where all apps could see each other’s windows), Wayland isolates each app — it can only access its own window. Think of it like smartphone app sandboxing: each app is strictly separated, modern, and secure.
From 26.04 onward, GNOME’s X11 session is completely removed. However, XWayland (a compatibility layer that runs X11 apps on Wayland) remains available, so legacy X11 applications continue to work. Users who need native X11 are directed to other Ubuntu flavors like Kubuntu or Xubuntu.
In Wayland, each application can only draw within its own window. Peeking at another app’s screen content is architecturally prevented; key input interception is dramatically harder than in X11. This is the “principle of least privilege” applied to the desktop.
NVIDIA GPU: The Compatibility Problem Is Solved
Previous NVIDIA Wayland compatibility issues have been addressed by patches to the Mutter display manager. “Blocked frame time” has been shortened, resulting in noticeably smoother rendering. With NVIDIA’s proprietary driver now fully supporting GBM (Generic Buffer Management) and GNOME-side optimizations in place, X11-era performance is matched or exceeded.
3. “Ironclad” Security: TPM Encryption and Post-Quantum Cryptography
Security advances in 26.04 extend far beyond what’s visible on screen.
TPM-Based Full Disk Encryption
TPM (Trusted Platform Module) encryption, introduced in Ubuntu 25.10, reaches completion in 26.04. A new Security Center app makes post-install PIN/password changes and disk re-encryption straightforward.
TPM is a small security-dedicated chip built into the motherboard. It stores encryption keys inside dedicated hardware, making them far more protected than software-only encryption. Even if an attacker obtains your password, decryption only succeeds on the specific hardware with the specific OS state — like keeping a safe’s key inside a non-removable, dedicated safe. Required for Windows 11; standard on recent hardware.
TPM adoption is growing in industrial equipment as well — it’s essential for firmware tamper detection and secure boot in embedded systems. Its standardization in desktop Linux raises the baseline across the industry.
Post-Quantum Cryptography (PQC): Ready for the Quantum Era
OpenSSH and OpenSSL are updated to include hybrid post-quantum cryptographic algorithms as standard.
Quantum computers could theoretically break RSA and elliptic curve cryptography quickly. While practical quantum computers don’t exist yet, the “Store Now, Decrypt Later” attack — recording encrypted traffic today and decrypting it once quantum computers mature — is a recognized threat.
Ubuntu 26.04 implements ML-KEM (formerly CRYSTALS-Kyber), standardized by NIST in 2024, in a hybrid mode alongside classical algorithms. Even if quantum computers become widespread, communications remain secure.
The timeline for quantum computing threats is uncertain, but cryptographic migrations are known to take 10+ years. Starting now is not too early.
Snap App Permission Prompts: Smartphone-Style Security Model
When Snap packages attempt to access hardware or specific directories, users will now see permission prompts — the same model Android and iOS users are familiar with. Camera, microphone, location, specific directories: all sensitive resource access requires explicit user approval.
This shifts Linux closer to a “zero-trust architecture” model — even installed apps only receive minimum necessary permissions.
The permission prompt system (called Snap Prompting) has reached stable status in Ubuntu 26.04. Previously available as an opt-in preview in 24.10/25.10, it is now the standard behavior for all Snap packages. The UX closely resembles Android’s permission dialogs.
4. Performance and Usability
Unified App Store: DEB, Snap, and Flatpak in One UI
At last, DEB, Snap, and Flatpak packages are all manageable from a single UI. Search for an app, install it — the format doesn’t matter to the user. When multiple sources offer the same app, the best option is selected automatically or presented as a choice.
AI/ML Native Support: AMD ROCm Out of the Box
AMD ROCm (Radeon Open Compute) packages are now provided natively. PyTorch and TensorFlow AI development environments can be set up in minutes with no manual repository configuration.
ROCm has been gradually improving its CUDA parity. With 26.04 making it available directly from official repositories, AMD GPUs become a more accessible option for robotics vision processing, real-time sensor data analysis, and educational AI development.
NVIDIA CUDA Natively in Official Repositories: A First for Ubuntu LTS
Ubuntu 26.04 LTS is the first LTS release to include NVIDIA CUDA directly in the official Ubuntu repositories. Previously, NVIDIA’s external cuda.repo had to be manually added and maintained. In 26.04, a single apt command is all you need:
sudo apt install nvidia-cuda-toolkit
CUDA environments for machine learning, AI inference, and GPU computing are now fully integrated into Ubuntu’s standard package management — including automatic security updates via apt upgrade. This significantly simplifies setup for edge AI and embedded AI developers using NVIDIA GPUs.
amd64v3 Optimization Packages
Optimized amd64v3 packages are available optionally for modern processors supporting AVX2 and BMI2 instruction sets. For cryptographic processing, multimedia, and scientific computing, meaningful performance gains are expected on Haswell-era (2015+) CPUs.
5. Developer Toolchain Upgrades
Ubuntu 26.04 makes a major leap in built-in development tool versions — a notable improvement over 24.04 LTS.
| Tool | Ubuntu 24.04 LTS | Ubuntu 26.04 LTS |
|---|---|---|
| LLVM/Clang | 18 | 21 |
| OpenJDK | 21 | 25 |
| Rust | 1.80 | 1.93.1 |
| MySQL | 8.0 | 8.4 LTS |
| OpenSSH | 9.x | 10.2p1 |
MySQL 8.4 LTS removes several features deprecated in MySQL 8.0. In particular, mysql_native_password authentication plugin is no longer available by default. If you manage applications using older MySQL authentication, verify compatibility before upgrading.
OpenSSH 10.2p1: PQC as Default and DSA Removal
OpenSSH 10.2p1 brings two significant changes:
mlkem768x25519-sha256is now the default key exchange — a hybrid post-quantum algorithm (ML-KEM + X25519 ECDH). Connections between two OpenSSH 10.x hosts automatically use post-quantum key exchange.- DSA host keys and authentication completely removed — DSA keys (1024-bit, SHA-1 based) are no longer supported. If you have DSA keys in
~/.ssh/, they must be regenerated as RSA-4096, Ed25519, or ECDSA.
Run ssh-keygen -l -f ~/.ssh/id_dsa to check for DSA keys. If found, generate a replacement with ssh-keygen -t ed25519 and update authorized_keys on your servers before upgrading to 26.04.
6. Other Confirmed Updates
Linux Kernel 7.0 (Confirmed)
Ubuntu 26.04 ships with Linux Kernel 7.0.
Canonical originally targeted Linux 6.20, but Linus Torvalds bumped the version number to 7.0 at release — a change that had been under consideration. The content is identical to what would have been 6.20. Ubuntu 26.04 beta ships with Linux 7.0 confirmed.
Key improvements:
- Full Raspberry Pi 5 support — good news for embedded developers
- Intel Nova Lake / AMD Zen 6 support — latest generation CPU coverage
- Qualcomm Snapdragon X2 initial support — expanding ARM device coverage
- NTSYNC driver — significantly improves Windows game performance under Wine/Proton
- AMD GPU optimization — RDNA 3/4 performance improvements
- Filesystem improvements — Btrfs, XFS, ext4 stability
GNOME 50 Highlights
- VRR (Variable Refresh Rate) enabled by default — smoother display on gaming monitors and high-refresh panels
- Fractional scaling (125%, 150%) enabled by default — high-DPI display improvements without manual setup. Blur artifacts at non-integer scaling have also been significantly reduced compared to GNOME 46.
- App auto-start management — configure which apps launch at login directly from Settings → Apps, without needing GNOME Tweaks or a terminal
- Wayland color management protocol v2 — improved color accuracy
- HDR screen sharing support
- Parental controls / Screen Time — bedtime settings, auto-lock, time extension
- Remote desktop improvements — Vulkan and VA-API hardware acceleration, HiDPI scaling
Default app changes in 26.04:
| Previous | New Default | Highlight |
|---|---|---|
| GNOME Terminal | Ptyxis | Container-aware terminal |
| Totem | Showtime | Modern video player |
Other Confirmed Features
- JPEG XL native support — next-gen image format in the standard toolchain
- ARM64 Desktop ISO — official ISO for ARM devices
- Mesa 26.0 — OpenGL 4.6 / Vulkan 1.4, improved Intel/AMD/NVIDIA performance
- OpenJDK 25 as default Java
- systemd 259 — cgroup v1 completely removed, cgroup v2 only
- Kernel firmware package split — one massive package becomes 17 vendor-specific packages, dramatically reducing update transfer sizes
- Ubuntu Insights (formerly Ubuntu Report) — monthly, opt-in telemetry
Known Issues and Post-Release Updates
Security Advisory USN-8222-1 (April 29, 2026)
Six days after release, Canonical published a critical OpenSSH security advisory affecting Ubuntu 26.04 LTS and earlier versions.
| CVE | Summary | Severity |
|---|---|---|
| CVE-2026-35385 | Legacy scp (-O option) could install files with setuid/setgid permissions |
High |
| CVE-2026-35386 | Shell metacharacters in usernames could allow arbitrary code execution | High |
| CVE-2026-35387 | Incorrect algorithm option parsing causes unintended ECDSA algorithm use | Medium |
Affected: Ubuntu 26.04 LTS, 25.10, 24.04 LTS, 22.04 LTS
Fix: sudo apt update && sudo apt upgrade openssh-server openssh-client
The following USNs have also been published post-release:
| USN | Package | Issue |
|---|---|---|
| USN-8227-1 | curl | Multiple CVEs: information disclosure and crash potential |
| USN-8230-1 | Docker | Container privilege escalation potential |
| USN-8239-1 | Apache HTTP Server | mod_rewrite rule processing vulnerability |
Fix: sudo apt update && sudo apt upgrade
Other Known Issues (as of May 2026)
| Issue | Detail | Workaround |
|---|---|---|
| Apache2 + PHP JIT | Apache2 now sets MemoryDenyWriteExecute=yes in its systemd service, breaking PHP’s JIT compiler when using libapache2-mod-php |
Override via /etc/systemd/system/apache2.service.d/ or migrate to PHP-FPM + Nginx |
| NVIDIA suspend/resume ✅ Fixed | The suspend/resume visual corruption and freeze on Optimus laptops has been fixed in May 2026 driver updates. ubuntu-drivers autoinstall no longer exists — install drivers manually |
Update to latest NVIDIA driver: sudo apt install nvidia-driver-570 |
| User account creation error | Creating accounts in Settings → Users fails with “Child process exited with code 255” on some configurations | Use adduser command in terminal as workaround |
| IBM Z z14 and earlier | Ubuntu 26.04 dropped support for IBM Z z14 (LinuxONE II) and older — cannot install or upgrade | Remain on 24.04 LTS for these systems |
| uutils/coreutils audit | A security audit found 113 issues (70 CVEs + 73 others) in the Rust coreutils. Ubuntu 26.04 ships with v0.8 which includes most fixes; GNU coreutils fallback remains available | No user action needed — patches applied in v0.8 |
| sudo-rs output format change | sudo-rs output format differs from classic sudo. Scripts that parse sudo verbose output or rely on specific error message text may break | Audit any automation scripts that parse sudo output before upgrading |
Ubuntu 26.04.1 Schedule
The first point release, Ubuntu 26.04.1, is confirmed for August 4, 2026. This release will include accumulated bug fixes and will officially open the upgrade path from Ubuntu 24.04 LTS via the standard Software Updater prompt.
Summary: Ubuntu 26.04’s Security Revolution
| Feature | Impact |
|---|---|
| sudo-rs | sudo rewritten in Rust — C-origin memory vulnerabilities eliminated |
| uutils/coreutils | ls, cp, mv and others gradually getting Rust implementations |
| GNOME 50 / X11 removal | 40 years of X11 ends; Wayland enforces app isolation |
| TPM Full Disk Encryption | Hardware-backed key storage, manageable from Security Center |
| Post-Quantum Cryptography | ML-KEM hybrid mode in OpenSSH/OpenSSL |
| Snap permission prompts | Smartphone-style per-resource permission model |
| Linux 7.0 | Raspberry Pi 5, latest CPU support, NTSYNC |
| AMD ROCm native | AI/ML development on AMD GPUs streamlined |
Ubuntu 26.04 LTS is available for download from ubuntu.com on April 23, 2026.
Frequently Asked Questions
Q: When was Ubuntu 26.04 LTS released?
A: Ubuntu 26.04 LTS was released on April 23, 2026 and is available for download at ubuntu.com/download.
Q: How long is Ubuntu 26.04 LTS supported?
A: Ubuntu 26.04 LTS receives 5 years of standard support until April 2031. With Canonical’s Ubuntu Pro service, support extends to 10 years (until April 2036) via ESM (Extended Security Maintenance). For comparison: 24.04 LTS is supported until April 2029, 22.04 LTS until April 2027.
Q: Can I upgrade directly from Ubuntu 24.04 LTS?
A: Yes — upgrades are available now. Run sudo do-release-upgrade in a terminal to start. Ubuntu Pro 26.04.1 (the first point release, typically around August 2026) will also trigger an automatic prompt in Software Updater.
Q: I use X11-dependent apps. Will they break?
A: Not immediately. XWayland remains available and runs most X11 applications without modification. Only apps that directly access other windows’ data (certain automation tools, screen capture utilities) may need Wayland-native alternatives. Check your specific apps before upgrading.
Q: What are the minimum RAM requirements for 26.04?
A: The official minimum is 4 GB RAM for the desktop installer, with 8 GB recommended for comfortable daily use. The server edition runs on 1 GB. Requirements are unchanged from 24.04 LTS.
Q: Is Ubuntu 26.04 good for embedded Linux development?
A: Yes, several changes are embedded-relevant: Linux 7.0 adds full Raspberry Pi 5 support, LLVM/Clang 21 brings the latest compiler toolchain, and Rust 1.93.1 supports stable embedded development features. The kernel firmware package split also reduces image sizes for constrained storage targets.