Canonical’s Ubuntu Core 26 is an embedded, snap-based Linux built for edge and IoT deployments that must run unattended for years—positioned as harder to tamper with, smaller to update, and supported for 15 years through 2041. The release adds faster OTA updat
For operators of edge devices, the dream is simple: make something that keeps working, stays verifiable, and doesn’t turn into a security headache every time a vulnerability lands.
Ubuntu Core 26 is Canonical’s latest attempt at delivering that kind of “set it and forget it” confidence. The distribution is designed for mission-critical and low-latency workloads on Internet of Things and edge deployments—robotics. industrial systems. digital signage. appliances. and other unattended hardware—where behavior needs to be predictable. updates need to be remote. and security requirements don’t pause while teams scramble.
Ubuntu Core. for those who haven’t followed it. is a stripped-down embedded Linux OS that takes regular Ubuntu and turns it into a minimal. containerized system. The kernel, base OS, and apps are delivered as snaps. Canonical’s pitch for Core 26 is that it makes the system harder to alter and easier to prove—backed by cryptographically signed components and a measured boot chain that runs only verified code.
Canonical also frames this as a direct response to where EU compliance is heading. Emerging security regulations, especially the EU Cyber Resilience Act (CRA), are pushing operators toward clear component provenance, long-term stability, and accountability across the stack.
Jon Seager, Canonical’s VP of Ubuntu Engineering, said in a blog post: “With Ubuntu Core 26, we continue to deliver the foundation that critical infrastructure operators need to meet the CRA, run attested, immutable edge AI workloads, and manage devices securely at scale.”
Ubuntu Core is positioned as a Linux “you can trust to run safely until 2041.” The practical promise is time: Canonical says the release provides 15 years of support.
The release also leans hard into the operational friction that usually hurts long-running device fleets—provisioning, patching, and the sheer bandwidth those updates can consume.
Canonical says the improved snap-delta format reduces OTA update sizes by 50% to 90% for most snaps. Updates to Core base snaps are reported to shrink from around 16MB to just 1.5MB. On top of that. new initramfs-based installation paths avoid redundant reboots by default. which Canonical says speeds up first-boot provisioning and makes device rollout faster and more predictable.
The trust story isn’t just about what gets updated—it’s also about how the base system is built.
Ubuntu Core 26 introduces a Chisel-based build system Canonical calls a new “precision-led” approach to constructing Core base snaps. Chisel is described as a developer tool for extracting highly customized, specialized package slices from Ubuntu packages to create compact, secure software.
Instead of relying on layered recipes and post-processing, the new system uses release-specific “slice” definitions with explicit, traceable dependencies. Canonical says this ties every file in the filesystem back to a specific slice and source package. The company argues that operators get improved integrity checking and vulnerability triage because there’s finer-grained visibility into the origins of a component and its dependencies. Canonical also reports a 7% reduction in the base image footprint from this pipeline.
Even the boot path gets a change aimed at reducing the chance that low-level updates go sideways.
Ubuntu Core 26 shifts u-boot configuration into a single raw partition with redundant environment support. Canonical says this makes updates to both u-boot and snapd safer and more reliable, while avoiding recovery issues associated with file-based storage.
Security in Core 26 goes further than “hardened” language. It also tackles the mechanics of disk encryption keys.
Canonical says TPM-sealed keys are now stored directly in the Linux Unified Key Setup (LUKS2) header. This, Canonical says, reduces the risk of key reuse across different device states. For ARM-based deployments, Core 26 also brings new native OP-TEE integration, using ARM TrustZone-backed protection.
In practice, sealing and unsealing disk encryption keys in the Trusted Execution Environment—rather than in the normal operating system—is intended to reduce the risk of security-key compromise.
Keeping devices updated without breaking the ecosystem is another thread that runs through the release.
Snapcraft, the build tool behind snaps, gains a major feature called components. The goal is to package large or optional resources—such as debug symbols. translations. or optional drivers—alongside the main snap without inflating the base installation. Canonical says components were first tested in Ubuntu Core 24 for Nvidia drivers. and are now open across the wider snap ecosystem.
Canonical is also extending Livepatch service coverage across more of the Core ecosystem. With the dual release of Ubuntu 26.04 LTS and Ubuntu Core 26. Livepatch’s reboot-less kernel updates now reach ARM64 for the first time. It also gains official support on AMD64 across all Ubuntu Core releases from Core 20 onward.
The company pitches these changes as a way to meet CRA expectations for timely vulnerability remediation without taking critical edge devices offline.
For deployments that need a user-facing interface, Canonical updates Ubuntu Frame, Core’s display server for embedded graphical applications. Ubuntu Frame now supports multiple apps on a single display, with configurable layouts, custom client placement, and an accessibility launcher.
Graphics-heavy workloads get another boost through the new GPU-2604 interface, which provides hardware acceleration for Core 26 applications. Canonical says this is supported by a new Snapcraft extension intended to simplify graphics integration.
Canonical’s position on responsibility under the CRA is also explicit. The company said it is assuming “manufacturer” responsibilities for the operating system under the CRA. That matters because Canonical says it backs long-term security maintenance for core modules. continuous Common Vulnerabilities and Exposures (CVE) monitoring. coordinated disclosure. and adherence to standards such as IEC 62443-4-1.
The intent, Canonical says, is to define clearer boundaries of responsibility among Canonical, device makers, and application vendors—while using built-in software traceability and modularity as the mechanism.
Ubuntu Core is not presented as a universal Linux replacement, but Canonical’s message is targeted: if a company wants to sell IoT or edge gear in the EU under the CRA, Ubuntu Core 26 is built to be marketable there.
Behind the engineering changes—snap-delta compression. initramfs-based provisioning. Chisel’s traceable slices. safer boot updates. and stronger key protection—there’s a single operational promise Canonical keeps circling: keep devices running. keep them verifiable. and avoid the kind of patchwork security that turns “managed fleets” into permanent firefighting.
Ubuntu Core 26 Canonical immutable Linux snaps OTA updates edge computing IoT EU Cyber Resilience Act CRA Livepatch Chisel OP-TEE LUKS2 u-boot Ubuntu Frame Snapcraft components GPU-2604