Ubuntu 16.x — End of Life
EOL Actively exploitedUbuntu 16.x — All releases
| Version | Released | Active support | EOL date | Latest patch | Status |
|---|---|---|---|---|---|
| 16.10 | Oct 13, 2016 | Jul 20, 2017 | Jul 20, 2017 | 16.10 | EOL |
| 16.04LTS | Apr 21, 2016 | Apr 2, 2021 | Apr 2, 2021 | 16.04.7 | EOL |
CVEs affecting Ubuntu 16.x (19)
| CVE | Severity | CVSS | EPSS | KEV | Cycle | Description | Published |
|---|---|---|---|---|---|---|---|
| CVE-2026-31431 | HIGH | 7.8 | 96.27% | KEV | 16.10 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-pla… | Apr 22, 2026 |
| CVE-2026-31431 | HIGH | 7.8 | 96.27% | KEV | 16.04 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-pla… | Apr 22, 2026 |
| CVE-2026-3888 | HIGH | 7.8 | 0.38% | — | 16.04 | Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private … | Mar 17, 2026 |
| CVE-2022-0492 | HIGH | 7.8 | 5.53% | KEV | 16.04 | A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. Th… | Mar 3, 2022 |
| CVE-2020-29372 | MEDIUM | 4.7 | 0.39% | — | 16.04 | An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition betwee… | Nov 28, 2020 |
| CVE-2019-18197 | HIGH | 7.5 | 4.45% | — | 16.04 | In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the rel… | Oct 18, 2019 |
| CVE-2019-16168 | MEDIUM | 6.5 | 4.25% | — | 16.04 | In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missin… | Sep 9, 2019 |
| CVE-2019-13118 | MEDIUM | 5.3 | 5.15% | — | 16.04 | In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an in… | Jul 1, 2019 |
| CVE-2019-13117 | MEDIUM | 5.3 | 6.46% | — | 16.04 | In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumb… | Jul 1, 2019 |
| CVE-2019-11068 | CRITICAL | 9.8 | 5.09% | — | 16.04 | libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permi… | Apr 10, 2019 |
| CVE-2019-7317 | MEDIUM | 5.3 | 9.39% | — | 16.04 | png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called und… | Feb 4, 2019 |
| CVE-2019-6109 | MEDIUM | 6.8 | 3.81% | — | 16.04 | An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (o… | Jan 31, 2019 |
| CVE-2018-10902 | HIGH | 7.8 | 0.52% | — | 16.04 | It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc … | Aug 21, 2018 |
| CVE-2018-13785 | MEDIUM | 6.5 | 4.47% | — | 16.04 | In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an i… | Jul 9, 2018 |
| CVE-2018-3639 | MEDIUM | 5.5 | 60.63% | — | 16.04 | Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addres… | May 22, 2018 |
| CVE-2017-5753 | MEDIUM | 5.6 | 93.84% | — | 16.04 | Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of … | Jan 4, 2018 |
| CVE-2016-9842 | HIGH | 8.8 | 5.20% | — | 16.04 | The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact v… | May 23, 2017 |
| CVE-2016-9841 | CRITICAL | 9.8 | 7.55% | — | 16.04 | inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointe… | May 23, 2017 |
| CVE-2016-9840 | HIGH | 8.8 | 4.79% | — | 16.04 | inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper point… | May 23, 2017 |
Ubuntu 16.x is EOL — migrate to Ubuntu 17.x
Ubuntu 17.x is the next major release. Plan your upgrade before Ubuntu 16.x stops receiving security patches.
Frequently asked questions
Is Ubuntu 16 end of life?
Yes. All Ubuntu 16.x releases have reached end of life and no longer receive security patches. There are 19 known CVEs affecting Ubuntu 16.x, including 2 critical. Migrate to Ubuntu 17.x as soon as possible.
What CVEs affect Ubuntu 16?
There are 19 CVEs tracked for Ubuntu 16.x, including 2 critical severity issues and 3 listed in the CISA Known Exploited Vulnerabilities catalog. See the full list above with CVSS and EPSS scores.
What is the latest Ubuntu 16 version?
The latest Ubuntu 16.x patch release is 16.10, released on October 13, 2016. Always run the latest patch to benefit from all security fixes.
How to migrate from Ubuntu 16 to Ubuntu 17?
To migrate from Ubuntu 16 to Ubuntu 17: (1) review the official Ubuntu 17 migration guide for breaking changes, (2) update dependencies and configuration accordingly, (3) test thoroughly in a staging environment, (4) deploy with a rollback plan. Starting early gives you time to resolve compatibility issues before your current version reaches end of life.
Is it safe to run Ubuntu 16 in production?
No. Ubuntu 16 has reached end of life and security vulnerabilities are no longer patched. Critically, 3 CVEs affecting Ubuntu 16.x are in the CISA KEV catalog — meaning they are actively exploited in the wild. Upgrade to a supported version immediately.
Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA
