Ubuntu Core 26 offers an immutable Linux you can trust through 2041

At a glance:

• Ubuntu Core 26 is a stripped-down, containerized Linux for IoT and edge devices with 15 years of support.
• New features include 50-90% smaller OTA updates, Chisel-based build system, and TPM-sealed full-disk encryption.
• Designed for EU Cyber Resilience Act (CRA) compliance, with Canonical assuming manufacturer responsibility for the OS.

A 15-year promise for mission-critical edge deployments

Canonical has unveiled Ubuntu Core 26, the latest iteration of its embedded Linux distribution tailored for Internet of Things (IoT), industrial, and edge computing environments. This release is engineered for devices that must operate unattended for years, offering a rock-solid foundation with security patches and support extending all the way to 2041. Unlike general-purpose server or desktop distributions, Ubuntu Core is a minimal, containerized system where the kernel, base OS, and applications are delivered as snaps—cryptographically signed, sandboxed packages that enable predictable behavior, remote management, and robust over-the-air (OTA) updates.

The timing aligns with tightening global regulations, particularly the EU Cyber Resilience Act (CRA), which mandates clear component provenance, long-term stability, and accountability across the software stack. As Jon Seager, Canonical's VP of Ubuntu Engineering, stated in a blog post: "With Ubuntu Core 26, we continue to deliver the foundation that critical infrastructure operators need to meet the CRA, run attested, immutable edge AI workloads, and manage devices securely at scale." This positions Ubuntu Core not just as an OS, but as a compliance tool for manufacturers targeting the European market.

Technical innovations: smaller updates and a new build paradigm

A major theme in Ubuntu Core 26 is reducing the operational cost and friction of managing large device fleets. Canonical has introduced an improved snap-delta format that shrinks OTA update sizes by 50% to 90% for most snaps. Updates to the Core base snaps, which previously weighed around 16MB, now come in at just 1.5MB. This dramatic reduction minimizes bandwidth usage and downtime, a critical factor for geographically dispersed IoT deployments.

Furthermore, new initramfs-based installation paths avoid redundant reboots by default, accelerating first-boot provisioning and making large-scale device rollouts faster and more predictable. At the heart of the new build system is Chisel, a developer tool that extracts highly customized, specialized package slices from Ubuntu packages to create compact, secure software. Unlike traditional layered recipes, Chisel uses release-specific "slice" definitions with explicit, traceable dependencies. This allows every file in the filesystem to be tied back to a specific slice and source package, improving integrity checking and vulnerability triage by giving operators finer-grained visibility into component origins. Canonical reports this approach contributes to a 7% reduction in the base image footprint.

Hardening the boot chain and encryption foundations

Security in Ubuntu Core 26 begins at the bootloader layer. The distribution shifts u-boot configuration into a single raw partition with redundant environment support. This design makes updates to both u-boot and snapd safer and more reliable while avoiding recovery issues associated with file-based storage. The measured boot chain—a core tenet of Ubuntu Core—ensures only cryptographically verified code can execute, creating an immutable foundation from power-on to application runtime.

On the encryption front, the new Core introduces foundational changes to full-disk protection. TPM-sealed keys are now stored directly in the Linux Unified Key Setup (LUKS2) header, reducing the risk of key reuse across different device states. Additionally, native OP-TEE integration brings ARM TrustZone-backed key protection to embedded deployments. By sealing and unsealing disk encryption keys within the Trusted Execution Environment rather than the normal operating system, Ubuntu Core 26 significantly reduces the risk of security-key compromise, a critical enhancement for devices handling sensitive data in the field.

Accelerating deployment and meeting regulatory demands

Beyond the base OS, Ubuntu Core 26 introduces new system snaps and features to streamline device deployment. The Snapcraft build tool gains a major capability called "components," which packages large or optional resources—such as debug symbols, translations, or optional drivers—alongside the main snap without inflating the base installation. First tested with Nvidia drivers in Ubuntu Core 24, this feature is now available to the wider snap ecosystem, allowing manufacturers to deliver optional functionality efficiently.

Canonical is also extending its Livepatch service to more of the Core ecosystem. With the dual release of Ubuntu 26.04 LTS and Ubuntu Core 26, Livepatch's reboot-less kernel updates now reach ARM64 for the first time and gain official support on AMD64 across all Ubuntu Core releases from Core 20 onward. The company pitches this as a direct answer to CRA expectations, enabling timely vulnerability remediation without taking critical edge devices offline.

Perhaps most significantly for the European market, Canonical is assuming "manufacturer" responsibilities for the operating system under the CRA. This means the company stands behind long-term security maintenance for core modules, continuous Common Vulnerabilities and Exposures (CVE) monitoring, coordinated disclosure, and adherence to standards such as IEC 62443-4-1. This approach, combined with built-in software traceability and modularity, is presented as a tool for defining clear boundaries of responsibility among Canonical, device makers, and application vendors—an essential framework for selling IoT or edge gear in the EU.

Conclusion: A specialized OS for a specialized regulatory landscape

Ubuntu Core 26 is not a general-purpose operating system; it is a purpose-built solution for a specific and growing market need. For companies building IoT or edge devices destined for the European Union, this release offers a clear path to CRA compliance with a 15-year security guarantee. Its technical advancements—from dramatically smaller updates and a more transparent build system to hardware-backed encryption—address the practical challenges of managing billions of devices at scale. While its immutable, containerized nature may be overkill for a desktop user, for the industrial automation floor, the digital signage network, or the AI edge appliance, Ubuntu Core 26 provides the trusted, long-term foundation that modern regulatory and operational demands require.