Is Ubuntu 20.04 still safe to run in 2026?

Safe in the sense that it still receives security patches — via Ubuntu Pro / ESM, free for up to 5 hosts. Standard support ended in April 2025 (5-year LTS window), so a 20.04 host without Pro enabled will not pick up new fixes. Noxen flags ESM-only remediations explicitly so you can see when a finding is gated on a Pro subscription.

How do I check Ubuntu 20.04 CVEs on a running host?

For a quick count: `apt list --upgradable 2>/dev/null | grep -ci security`. For a per-CVE breakdown with fix versions, Noxen reads dpkg over SSH and matches installed source-package versions against the OSV Ubuntu:20.04:LTS and Ubuntu:Pro:20.04:LTS ecosystem feeds. No agent on the target.

How long until 20.04 is truly EOL?

April 2030 with Ubuntu Pro / ESM — a 10-year window from initial release. That makes Focal one of the longest-supported Ubuntu LTS releases in the install base. The most common reason 20.04 hosts skip the 22.04 upgrade is that a regression in the latter would be more painful than just running ESM until 2030.

Does Noxen need Ubuntu Pro to scan 20.04 hosts?

No. The CVE feed Noxen consumes is publicly available regardless of Pro. What Pro provides is access to the actual fix packages via Canonical's ESM channels. Noxen will tell you the host needs Pro to install the patched version; the scan itself doesn't require a subscription.

CVE coverage

Ubuntu 20.04 LTS CVE tracker

Noxen pulls Ubuntu 20.04 CVE data from OSV.dev's Ubuntu ecosystem feed. Focal is out of standard Canonical support since April 2025 — any new CVE fix lands in the Ubuntu Pro / ESM channel (Ubuntu:Pro:20.04:LTS), and Noxen surfaces those separately so you can see at a glance whether a host needs a Pro subscription to actually install the patch.

Live

Headline numbers

Total CVE records (all distros)Loading…
Last buildLoading…
OSV records (Ubuntu + others)Loading…
NVD records (cross-platform)Loading…

How matching works

What Noxen does for an Ubuntu 20.04 host

Reads /etc/os-release over SSH to confirm the host is on Ubuntu 20.04.
Reads the dpkg package list — every binary package, plus its corresponding source package via dpkg-query --showformat='${Source}'.
Filters the local feed cache to OSV records tagged with ecosystem Ubuntu:20.04:LTS.
For each record, compares your installed version against the OSV-published fix version using the Debian/Ubuntu version-comparison rules (epoch, upstream, debian-revision).
Emits a finding only when the installed version is older than the fix. Where Ubuntu Pro / ESM-only fixes apply, they are flagged separately.

Live listings

Top recent critical CVEs (Ubuntu 20.04 / Ubuntu ecosystem)

Most-recently-published critical CVEs in the Ubuntu 20.04 / Ubuntu ecosystem. Auto-deduped to one row per CVE ID. Snapshot baked at 2026-05-16; live re-fetch on page load.

CVE	Sev.	CVSS	Summary	Package	Fix in	Published
UBUNTU-CVE-2024-40896	critical	9.1	In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE att	libxml2	2.12.7+dfsg-3ubuntu0.1	2024-12-23
UBUNTU-CVE-2024-9486	critical	9.8	A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default c	kubernetes	—	2024-10-15
UBUNTU-CVE-2024-6385	critical	9.8	An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user u	gitlab	—	2024-07-11
UBUNTU-CVE-2024-38998	critical	9.8	Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.	requirejs	—	2024-07-01
UBUNTU-CVE-2024-35325	critical	9.8	A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file /src/libyaml/src/api.c. The manipulation leads to a double-free.	libyaml	—	2024-06-13
UBUNTU-CVE-2024-35326	critical	9.8	libyaml v0.2.5 is vulnerable to Buffer Overflow. Affected by this issue is the function yaml_emitter_emit of the file /src/libyaml/src/emitter.c. The manipulation leads to a double-free.	libyaml	—	2024-06-13
UBUNTU-CVE-2024-35863	critical	—	In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in is_valid_oplock_break() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.	linux-hwe-edge	—	2024-05-19
UBUNTU-CVE-2024-3094	critical	—	Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source	xz-utils	5.2.4-1ubuntu1.1	2024-03-29

Top recent high-severity CVEs (Ubuntu 20.04 / Ubuntu ecosystem)

CVE	Sev.	CVSS	Summary	Package	Fix in	Published
UBUNTU-CVE-2026-42945	high	—	NGINX ngx_http_rewrite_module vulnerability	nginx	—	2026-05-14
UBUNTU-CVE-2026-46300	high	—	Fragnesia linux kernel local privilege escalation issue	linux	—	2026-05-13
UBUNTU-CVE-2026-45185	high	—	A remotely reachable Use-After-Free (UAF) vulnerability has been identified in Exim's BDAT (binary data transmission) body parsing path when using the GnuTLS backend. This vulnerability can lead to heap corruption and potential code executi	exim4	—	2026-05-12
UBUNTU-CVE-2026-43500	high	—	In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response	linux	—	2026-05-11
UBUNTU-CVE-2026-43284	high	—	In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb	linux	—	2026-05-08
UBUNTU-CVE-2026-23918	high	—	Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.	apache2	2.4.66-2ubuntu2.1	2026-05-05
UBUNTU-CVE-2026-41651	high	—	PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-	packagekit	0.8.17-4ubuntu6~gcc5.4ubuntu1.5+esm1	2026-04-23
UBUNTU-CVE-2026-31431	high	—	In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operatin	linux-azure	—	2026-04-22

New to severity terminology? CVE, CVSS, CWE, CPE explained.

Notable

Recent CVEs Ubuntu 20.04 operators should know — ESM matters here.

CVE-2024-6387 (regreSSHion) — OpenSSH signal-handler race producing pre-auth RCE.. Ubuntu advisory · Noxen deep-dive.
CVE-2024-3094 (xz backdoor) — Supply-chain backdoor in xz-utils 5.6.0 / 5.6.1.. Ubuntu advisory · Noxen deep-dive.
CVE-2024-1086 (nf_tables UAF) — Linux kernel privilege-escalation, observed in the wild.. Ubuntu advisory.
CVE-2026-31431 (kernel algif_aead) — Local privilege escalation in the kernel's userspace AEAD interface.. Ubuntu advisory · Noxen deep-dive.

Scan an Ubuntu 20.04 fleet with Noxen

Add your Ubuntu 20.04 hosts via your existing ~/.ssh/config; Noxen reads dpkg state and matches against the live signed feed. No agent, no SaaS round-trip. $79 one-time.

← back to the CVE dashboard Ubuntu 22.04 → Debian 13 →