Canonical Offers Immutable Linux Until 2041 with Ubuntu Core 26 & Full EU CRA Compliance
Canonical Offers Immutable Linux Until 2041 with Ubuntu Core 26 & Full EU CRA Compliance
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Canonical Offers Immutable Linux Until 2041
with Ubuntu Core 26 & Full EU CRA Compliance
Canonical has released Ubuntu Core 26, a minimal, immutable Linux operating system engineered for edge computing, IoT, and embedded devices — promising up to 15 years of security maintenance through 2041, and positioning itself as the compliance-ready foundation for the European Union’s Cyber Resilience Act (CRA).
What Is Ubuntu Core?
Ubuntu Core is an embedded Linux operating system built on the foundations
of regular Ubuntu — in this case, Ubuntu 26.04 LTS (Resolute Raccoon).
It is a strictly confined, containerized system where the kernel, base OS,
and all applications are delivered exclusively as cryptographically signed
snap packages. This architecture ensures a rigorous, verified
boot chain, so only validated software can execute at any level of the stack.
Ubuntu Core is not designed for general desktop or server workloads. Its primary audience is edge computing hardware, industrial equipment, robotics, digital signage, and consumer electronics — environments where predictable behavior, remote management, and reliable over-the-air (OTA) updates are non-negotiable requirements.
Dramatic Reduction in OTA Update Size
One of the headline engineering achievements of Ubuntu Core 26 is a
sweeping improvement to how software updates are delivered. Canonical’s
improved snap-delta format now reduces the size of OTA updates
by 50–90% for most snaps. In practical terms, update packages for
Core-based snaps have shrunk from approximately 16 MB to just 1.5 MB.
Complementing this, a new initramfs-based installation path
avoids unnecessary reboots by default during initial provisioning, making
device deployment faster and more predictable — a tangible cost and time
saving for operators managing large-scale fleets.
Chisel: Precision-Built Snaps
Ubuntu Core 26 introduces the Chisel-based build system as its
new approach to assembling Core snaps. Chisel is a development tool that
extracts highly targeted “slices” from Ubuntu packages, using release-specific
slice definitions and explicit, traceable dependency graphs. This stands in
contrast to traditional layered build approaches (such as those used in Yocto),
where provenance and dependency closure are largely implicit.
Because every file in the resulting filesystem can be attributed to a specific slice and source package, integrity checks and vulnerability triage become significantly more accurate. Chisel also contributes a reported 7% reduction in the base image footprint.
Strengthened Full-Disk Encryption
A fundamental change to full-disk encryption arrives in Ubuntu Core 26.
Trusted Platform Module (TPM)-sealed keys are now stored directly in the
LUKS2 header, reducing the risk of key reuse across different
device states. This establishes a cleaner foundation for future enhancements
to the encryption architecture.
Additionally, native OP-TEE integration extends Arm TrustZone
key protection to embedded deployments. By sealing and unsealing disk
encryption keys within the Trusted Execution Environment (TEE) rather than
the regular OS, the risk of security key leakage is meaningfully reduced
for constrained hardware targets.
At the bootloader level, the u-boot configuration has been
moved to a single RAW partition supporting redundant environments. This
makes updates for both u-boot and snapd more
reliable, eliminating recovery problems caused by file-based storage of
boot configuration.
“With Ubuntu Core 26, we continue to deliver the foundation that critical infrastructure operators need to meet the Cyber Resilience Act, run attested, immutable edge AI workloads, and manage devices securely at scale.”
— Jon Seager, VP of Ubuntu Engineering, CanonicalLivepatch Expands to ARM64 — No Reboots Required
Canonical is significantly expanding the reach of its Livepatch service with this release. Livepatch patches critical and high-severity kernel vulnerabilities between scheduled maintenance windows — without requiring a device reboot. For the first time, Livepatch brings rebootless kernel patching to the ARM64 architecture, starting with Ubuntu Core 26. AMD64 is now also officially supported across all Ubuntu Core releases from Ubuntu Core 20 onwards.
This expansion directly addresses one of the CRA’s key requirements: timely vulnerability remediation without taking critical edge infrastructure offline.
Snap Components and the Snapcraft Build Tool
A new feature called components has been added to the Snapcraft
build tool. This allows large or optional resources — such as debug symbols,
translation data, and hardware-specific drivers — to be packaged alongside
the main snap without inflating the base installation size. The feature was
initially piloted in Ubuntu Core 24 to deliver NVIDIA GPU drivers and is now
available across the entire snap ecosystem, enabling more modular and
size-efficient device images.
Ubuntu Frame: Multi-App Displays for Embedded Graphics
Ubuntu Frame, the embedded display server for graphical Core applications,
now supports multiple graphical applications rendering on a single display.
Features such as layout configuration, client placement customization, and
an accessibility launcher have been added. Graphics-intensive workloads gain
access to the new GPU-2604 interface, which provides hardware
acceleration for Core 26 applications, supported by a new Snapcraft extension
that streamlines graphics integration.
Canonical Assumes EU CRA Manufacturer Responsibilities
Perhaps the most strategically significant announcement accompanying Ubuntu Core 26 is Canonical’s explicit decision to assume the role of “Manufacturer” of the OS under the EU Cyber Resilience Act. This means Canonical formally commits to:
Long-term security maintenance of core OS modules; continuous monitoring and
coordinated disclosure of Common Vulnerabilities and Exposures (CVEs);
and compliance with IEC 62443-4-1, the international standard
for secure product development lifecycle processes.
This stance, combined with Ubuntu Core’s software traceability and modular architecture, is designed to establish well-defined responsibility boundaries between Canonical, device manufacturers, and application vendors — a structure the CRA explicitly requires. For companies planning to sell IoT or edge devices into the EU market after the CRA’s enforcement deadlines, Ubuntu Core 26 provides a certified, accountable OS foundation on which to build.
Bottom Line
Ubuntu Core 26, released on May 19, 2026, represents Canonical’s most complete answer yet to the converging demands of long-lifecycle embedded Linux deployments, CRA regulatory compliance, and modern AI-driven edge workloads. With 15 years of committed security maintenance, dramatically smaller OTA updates, hardware-rooted encryption, live kernel patching on ARM64, and Canonical’s formal acceptance of CRA Manufacturer duties, it is a strong contender for any organization deploying unattended devices that need to remain secure, compliant, and operational well into the 2030s.
