Ubuntu 25.10 Questing Quokka has landed, marking the final interim release before Ubuntu 26.04 LTS, and it’s a bold one. Interim releases have always been the proving grounds for features that define the next LTS, and this cycle is no exception. From memory-safe reimplementations of foundational tools to hardware-backed encryption, post-quantum cryptography preparedness, and confidential computing, 25.10 pushes Ubuntu security into its next era, and the trajectory is clear: Ubuntu is building a more secure foundation for the next decade of computing.
Ubuntu 25.10 defaults to sudo-rs, a Rust implementation of sudo. This change directly addresses a history of memory corruption vulnerabilities in security-critical code. The sudo vulnerability CVE-2021-3156, which existed undetected from 2011 to 2021, demonstrates why this matters; memory safety guarantees at the compiler level prevent entire categories of these bugs.
Similarly, we now ship rust-coreutils as the default provider of utilities like ls, cat, and cp. The GNU implementations remain available, and users can switch between them if needed. We maintain a compatibility matrix documenting behavioral differences, though most users won’t encounter any issues. Performance varies by operation, base64 encoding is notably faster, while some operations show minimal change.
For users who need the traditional sudo, it’s available as sudo.ws. Existing sudo configurations work without modification. This parallel availability allows thorough testing while maintaining a fallback path.
The TPM-backed Full Disk Encryption implementation has matured considerably in this release, though it remains experimental. New capabilities include:
There are important compatibility considerations. The feature is incompatible with Absolute (formerly Computrace) security software, systems must choose one or the other. Additionally, certain hardware configurations require specific kernel modules that may not be available in the TPM-secured kernel. Users should test thoroughly with their specific hardware before considering deployment.
This work targets production readiness in Ubuntu 26.04 LTS. Testing and feedback during the 25.10 cycle will directly influence the LTS implementation.
Ubuntu 25.10 replaces systemd-timesyncd with Chrony as the default time daemon, configured with Network Time Security (NTS) enabled. This change addresses a long-standing security concern: unauthenticated NTP has been vulnerable to tampering that could affect certificate validation, audit logs, and distributed system coordination.
NTS adds TLS-based authentication to time synchronization, using port 4460/tcp for key exchange before standard NTP communication on 123/udp.
Ubuntu 25.10 includes preparations for quantum computing threats thanks to the latest versions it ships with for OpenSSH and OpenSSL. OpenSSH 10.0 now uses hybrid post-quantum algorithms by default for key agreement. No configuration is required, SSH connections automatically benefit from quantum resistance while maintaining compatibility with systems that don’t support these algorithms.
OpenSSL 3.5.3 adds support for ML-KEM, ML-DSA, and SLH-DSA algorithms. The default TLS configuration prefers hybrid post-quantum KEM groups, balancing future security with present-day compatibility.
Note that OpenSSH 10.0 removes DSA support entirely. Systems still using DSA keys will need migration before they can connect to or from Ubuntu 25.10 systems.
For those running sensitive workloads in the cloud, Ubuntu 25.10 ships with native support for Intel TDX (Trust Domain Extensions) host capabilities. This technology creates hardware-isolated virtual machines for confidential computing, perfect for data clean rooms and confidential AI workloads. The kernel ships with Intel TDX host support out of the box, setting the stage for confidential computing to become mainstream in the 26.04 LTS.
Beyond the headline features, there’s a consistent theme of security through modernization:
Some security features require careful deployment:
In all, the security enhancements and hardening measures delivered in Ubuntu 25.10 continue Ubuntu’s evolution toward delivering the most secure Linux experience. They lay the groundwork for Ubuntu 26.04 LTS, the next long-term supported release, where these technologies will mature into default, fully supported capabilities. Furthermore, security updates, compliance, hardening and kernel livepatching for 26.04 LTS will be covered for up to 12 years through Ubuntu Pro, extending Ubuntu’s track record as a securely-designed foundation for developing and deploying modern Linux workloads.
We’re always refining Ubuntu’s security experience, and your input matters. To share feedback or join the conversation, visit Ubuntu’s Discourse page. If you’d like to discuss your deployment needs, please reach out via this contact form.
Stay secure, and happy upgrading.
Ubuntu now runs natively on the Thundercomm RUBIK Pi 3 developer board – a lightweight…
Validate your skills and advance your career with recognized qualifications from the publishers of Ubuntu…
This article demonstrates how to deploy Poweradmin to manage PowerDNS on Ubuntu VPS server. What…
This article provides an outline for self-hosting Easypanel and n8n on Ubuntu VPS. What is…
Install a well-known model like DeepSeek R1 or Qwen 2.5 VL with a single command,…
October 23, 2025 – Today, ESWIN Computing and Canonical announced the pre-installation of Ubuntu on…