If you're still relying on Ubuntu 16.04 LTS (Xenial Xerus), it's time to take action. As of April 2026, Extended Security Maintenance (ESM) for this version has officially ended, meaning no more security patches are being delivered—even with an Ubuntu Pro subscription. Originally released in April 2016, Ubuntu 16.04 received five years of standard support, followed by an optional five years of security coverage via ESM. Now that both phases have concluded, continuing to use this release on internet-connected systems exposes you to known vulnerabilities with no official fixes. The safest path forward is to upgrade to a newer Long-Term Support (LTS) release, but there's a catch: you can't jump directly from 16.04 to the latest LTS. Instead, you must upgrade incrementally. Below, we answer common questions about your options, risks, and the steps you need to take to stay secure.
When exactly did security support for Ubuntu 16.04 LTS end?
Standard security support for Ubuntu 16.04 LTS ended in April 2021, after its initial five-year life cycle. However, Canonical offered Extended Security Maintenance (ESM) as an additional five-year period of critical and high-priority patches, available through an Ubuntu Pro subscription (free for personal use on up to five machines). ESM coverage for 16.04 LTS concluded in April 2026, meaning that as of that date, no new security updates are being released—even for paying subscribers. Any system still running this version is now exposed to any vulnerabilities discovered after April 2026, with no official way to patch them.
What exactly was Extended Security Maintenance (ESM) for Ubuntu 16.04?
Extended Security Maintenance, or ESM, was an optional program introduced by Canonical to extend the security lifecycle of an LTS release beyond its standard five-year support window. For Ubuntu 16.04, ESM provided critical and high-severity CVE patches for an additional five years—covering everything from kernel vulnerabilities to critical libraries. To access ESM, you had to enable Ubuntu Pro on your system (available at no cost for up to five machines for personal use). The service ensured that even after the main support phase ended, administrators could still receive fixes for high-priority issues. With ESM's conclusion in April 2026, no more updates will be backported for 16.04, making it effectively unsupported from a security standpoint.
Can I still get security updates for Ubuntu 16.04 after ESM ended?
No. Once ESM expired in April 2026, Canonical stopped generating any new security patches for Ubuntu 16.04 LTS. Even if you have an active Ubuntu Pro subscription or were previously covered, there are no updates being produced. This means your system is now running on only the patches that existed up to that cutoff date. Any vulnerabilities discovered later—whether in the kernel, openssl, systemd, or any other package—will not be addressed by Canonical. The only ways to receive security fixes are to either upgrade to a supported Ubuntu release (like 20.04, 22.04, or 24.04) or, if you absolutely cannot upgrade, consider using third-party security backports (which are not officially supported and may introduce compatibility risks). Canonical's recommendation is to migrate to a newer LTS as soon as possible.
Why can't I upgrade directly from Ubuntu 16.04 to the latest LTS?
Ubuntu's upgrade process is designed for stability and reliability, requiring you to move through each major release sequentially. For example, from 16.04 LTS you can upgrade to 18.04 LTS, then to 20.04 LTS, and so on. Skipping releases (e.g., going straight from 16.04 to 22.04) is not supported because the package databases, kernel configurations, and system dependencies change incrementally. Jumping multiple versions would cause dependency conflicts and break system integrity. Canonical's do-release-upgrade tool only offers upgrades to the next LTS version, ensuring that all necessary migrations happen step by step. If you try to force an inter‑version jump, you risk ending up with a broken system that cannot boot or run critical applications. Therefore, the recommended pathway is: 16.04 → 18.04 → 20.04 → 22.04 (or 24.04, depending on your target).
What are the steps to upgrade from Ubuntu 16.04 to a supported version?
To upgrade safely, you'll need to move one LTS release at a time. Start by ensuring your 16.04 system is fully updated with the latest available patches (up to the April 2026 cutoff). Then, run sudo do-release-upgrade to upgrade to Ubuntu 18.04 LTS. After the system reboots into 18.04, update that version completely before upgrading to 20.04 LTS (again using do-release-upgrade). Repeat the process to reach 22.04 LTS or 24.04 LTS, depending on how current you want to be. Each upgrade will take time and may require you to review configuration file changes. It's strongly recommended to back up your data and configuration files before each major upgrade. If your server is remote, ensure you have out‑of‑band access (like iDRAC or IPMI) in case the upgrade interrupts networking. Canonical provides official upgrade guides for each step.
What should I do if I cannot upgrade from Ubuntu 16.04 right now?
If upgrading immediately isn't feasible—perhaps due to legacy software that doesn't run on newer releases, or budget constraints—there are a few interim measures you can take. First, isolate the 16.04 system from the internet if possible, placing it on a segregated network behind a firewall that limits outbound connections. Use internal repositories with only critical security patches (if you can obtain them from a third‑party source, but be aware of legal and reliability issues). You could also consider migrating critical services to containers or virtual machines inside a supported host OS. Another option is to purchase extended support from a third‑party vendor that offers backported patches for legacy Ubuntu releases, though this is not free and often requires a contract. Remember, running unsupported software in a connected environment is risky; prioritize a migration plan and allocate resources to complete it as soon as possible.
What are the security risks of continuing to use Ubuntu 16.04 after ESM ended?
Without security updates, your system becomes increasingly vulnerable as new exploits are discovered and publicly disclosed. For example, if a critical vulnerability is announced in the Linux kernel or OpenSSL—both core components—your 16.04 system will never receive a patch. Attackers can exploit these holes to gain remote access, steal data, or install ransomware. Because 16.04 is a widely known release, its vulnerabilities are well documented, making it an attractive target for automated scanning bots. Additionally, compliance requirements (like PCI DSS, HIPAA, or SOC 2) often mandate that systems must run supported software with active security patches. Running an unsupported OS can lead to audit failures, fines, or loss of certification. In short, continuing to use Ubuntu 16.04 without ESM means accepting these risks, which may be unacceptable for production environments or systems handling sensitive data.