What’s new in security for Ubuntu 25.10? 

Ubuntu 25.10 Questing Quokka has landed, marking the final interim release before Ubuntu 26.04 LTS,  and it’s a bold one. Interim releases have always been the proving grounds for features that define the next LTS, and this cycle is no exception. From memory-safe reimplementations of foundational tools to hardware-backed encryption, post-quantum cryptography preparedness, and confidential computing, 25.10 pushes Ubuntu security into its next era, and the trajectory is clear: Ubuntu is building a more secure foundation for the next decade of computing.

Memory safety takes center stage

Ubuntu 25.10 defaults to sudo-rs, a Rust implementation of sudo. This change directly addresses a history of memory corruption vulnerabilities in security-critical code. The sudo vulnerability CVE-2021-3156, which existed undetected from 2011 to 2021, demonstrates why this matters; memory safety guarantees at the compiler level prevent entire categories of these bugs.

Similarly, we now ship rust-coreutils as the default provider of utilities like ls, cat, and cp. The GNU implementations remain available, and users can switch between them if needed. We maintain a compatibility matrix documenting behavioral differences, though most users won’t encounter any issues. Performance varies by operation, base64 encoding is notably faster, while some operations show minimal change.

For users who need the traditional sudo, it’s available as sudo.ws. Existing sudo configurations work without modification. This parallel availability allows thorough testing while maintaining a fallback path.

TPM-backed full disk encryption gets real

The TPM-backed Full Disk Encryption implementation has matured considerably in this release, though it remains experimental. New capabilities include:

• Passphrase support with proper management interfaces
• Recovery key regeneration for improved key management
• Better integration with firmware updates to prevent boot issues

There are important compatibility considerations. The feature is incompatible with Absolute (formerly Computrace) security software, systems must choose one or the other. Additionally, certain hardware configurations require specific kernel modules that may not be available in the TPM-secured kernel. Users should test thoroughly with their specific hardware before considering deployment.

This work targets production readiness in Ubuntu 26.04 LTS. Testing and feedback during the 25.10 cycle will directly influence the LTS implementation.

Network Time Security by default

Ubuntu 25.10 replaces systemd-timesyncd with Chrony as the default time daemon, configured with Network Time Security (NTS) enabled. This change addresses a long-standing security concern: unauthenticated NTP has been vulnerable to tampering that could affect certificate validation, audit logs, and distributed system coordination.

NTS adds TLS-based authentication to time synchronization, using port 4460/tcp for key exchange before standard NTP communication on 123/udp. 

Preparing for the quantum apocalypse

Ubuntu 25.10 includes preparations for quantum computing threats thanks to the latest versions it ships with for OpenSSH and OpenSSL. OpenSSH 10.0 now uses hybrid post-quantum algorithms by default for key agreement. No configuration is required, SSH connections automatically benefit from quantum resistance while maintaining compatibility with systems that don’t support these algorithms.

OpenSSL 3.5.3 adds support for ML-KEM, ML-DSA, and SLH-DSA algorithms. The default TLS configuration prefers hybrid post-quantum KEM groups, balancing future security with present-day compatibility.

Note that OpenSSH 10.0 removes DSA support entirely. Systems still using DSA keys will need migration before they can connect to or from Ubuntu 25.10 systems.

Intel TDX and confidential computing

For those running sensitive workloads in the cloud, Ubuntu 25.10 ships with native support for Intel TDX (Trust Domain Extensions) host capabilities. This technology creates hardware-isolated virtual machines for confidential computing,  perfect for data clean rooms and confidential AI workloads. The kernel ships with Intel TDX host support out of the box, setting the stage for confidential computing to become mainstream in the 26.04 LTS.

Security through modernization

Beyond the headline features, there’s a consistent theme of security through modernization:

• Django updated to 5.2 LTS with improved security defaults
• Systemd v257.9 with enhanced security features
• Apache 2.4.64 with multiple security fixes
• The entire toolchain has been rebuilt with GCC 15.2, providing better compile-time security checks

What to watch for

Some security features require careful deployment:

• AppArmor profiles may unexpectedly affect operations in LXD containers
• TPM-backed FDE has specific hardware requirements
• The switch to OpenSSH 10.0 removes DSA support, which may affect legacy systems

Looking ahead

In all, the security enhancements and hardening measures delivered in Ubuntu 25.10 continue Ubuntu’s evolution toward delivering the most secure Linux experience. They lay the groundwork for Ubuntu 26.04 LTS,  the next long-term supported release, where these technologies will mature into default, fully supported capabilities. Furthermore, security updates, compliance, hardening and kernel livepatching for 26.04 LTS will be covered for up to 12 years through Ubuntu Pro, extending Ubuntu’s track record as a securely-designed foundation for developing and deploying modern Linux workloads.

We’re always refining Ubuntu’s security experience, and your input matters. To share feedback or join the conversation, visit Ubuntu’s Discourse page. If you’d like to discuss your deployment needs, please reach out via this contact form.

Stay secure, and happy upgrading.