Ubuntu 18.x — End of Life
EOL Actively exploitedUbuntu 18.x — All releases
| Version | Released | Active support | EOL date | Latest patch | Status |
|---|---|---|---|---|---|
| 18.10 | Oct 18, 2018 | Jul 18, 2019 | Jul 18, 2019 | 18.10 | EOL |
| 18.04LTS | Apr 26, 2018 | May 31, 2023 | May 31, 2023 | 18.04.6 | EOL |
CVEs affecting Ubuntu 18.x (22)
| CVE | Severity | CVSS | EPSS | KEV | Cycle | Description | Published |
|---|---|---|---|---|---|---|---|
| CVE-2026-31431 | HIGH | 7.8 | 96.27% | KEV | 18.04 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-pla… | Apr 22, 2026 |
| CVE-2026-31431 | HIGH | 7.8 | 96.27% | KEV | 18.10 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-pla… | Apr 22, 2026 |
| CVE-2026-3888 | HIGH | 7.8 | 0.38% | — | 18.04 | Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private … | Mar 17, 2026 |
| CVE-2022-0492 | HIGH | 7.8 | 5.53% | KEV | 18.04 | A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. Th… | Mar 3, 2022 |
| CVE-2020-29372 | MEDIUM | 4.7 | 0.39% | — | 18.04 | An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition betwee… | Nov 28, 2020 |
| CVE-2019-17571 | CRITICAL | 9.8 | 69.06% | — | 18.04 | Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be explo… | Dec 20, 2019 |
| CVE-2019-18197 | HIGH | 7.5 | 4.45% | — | 18.04 | In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the rel… | Oct 18, 2019 |
| CVE-2019-16168 | MEDIUM | 6.5 | 4.25% | — | 18.04 | In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missin… | Sep 9, 2019 |
| CVE-2019-13118 | MEDIUM | 5.3 | 5.15% | — | 18.04 | In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an in… | Jul 1, 2019 |
| CVE-2019-13117 | MEDIUM | 5.3 | 6.46% | — | 18.04 | In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumb… | Jul 1, 2019 |
| CVE-2019-11068 | CRITICAL | 9.8 | 5.09% | — | 18.10 | libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permi… | Apr 10, 2019 |
| CVE-2019-11068 | CRITICAL | 9.8 | 5.09% | — | 18.04 | libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permi… | Apr 10, 2019 |
| CVE-2019-7317 | MEDIUM | 5.3 | 9.39% | — | 18.04 | png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called und… | Feb 4, 2019 |
| CVE-2019-7317 | MEDIUM | 5.3 | 9.39% | — | 18.10 | png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called und… | Feb 4, 2019 |
| CVE-2019-6109 | MEDIUM | 6.8 | 3.81% | — | 18.10 | An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (o… | Jan 31, 2019 |
| CVE-2019-6109 | MEDIUM | 6.8 | 3.81% | — | 18.04 | An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (o… | Jan 31, 2019 |
| CVE-2018-10902 | HIGH | 7.8 | 0.52% | — | 18.04 | It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc … | Aug 21, 2018 |
| CVE-2018-13785 | MEDIUM | 6.5 | 4.47% | — | 18.04 | In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an i… | Jul 9, 2018 |
| CVE-2018-3639 | MEDIUM | 5.5 | 60.63% | — | 18.04 | Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addres… | May 22, 2018 |
| CVE-2016-9842 | HIGH | 8.8 | 5.20% | — | 18.04 | The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact v… | May 23, 2017 |
| CVE-2016-9841 | CRITICAL | 9.8 | 7.55% | — | 18.04 | inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointe… | May 23, 2017 |
| CVE-2016-9840 | HIGH | 8.8 | 4.79% | — | 18.04 | inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper point… | May 23, 2017 |
Ubuntu 18.x is EOL — migrate to Ubuntu 19.x
Ubuntu 19.x is the next major release. Plan your upgrade before Ubuntu 18.x stops receiving security patches.
Frequently asked questions
Is Ubuntu 18 end of life?
Yes. All Ubuntu 18.x releases have reached end of life and no longer receive security patches. There are 22 known CVEs affecting Ubuntu 18.x, including 4 critical. Migrate to Ubuntu 19.x as soon as possible.
What CVEs affect Ubuntu 18?
There are 22 CVEs tracked for Ubuntu 18.x, including 4 critical severity issues and 3 listed in the CISA Known Exploited Vulnerabilities catalog. See the full list above with CVSS and EPSS scores.
What is the latest Ubuntu 18 version?
The latest Ubuntu 18.x patch release is 18.10, released on October 18, 2018. Always run the latest patch to benefit from all security fixes.
How to migrate from Ubuntu 18 to Ubuntu 19?
To migrate from Ubuntu 18 to Ubuntu 19: (1) review the official Ubuntu 19 migration guide for breaking changes, (2) update dependencies and configuration accordingly, (3) test thoroughly in a staging environment, (4) deploy with a rollback plan. Starting early gives you time to resolve compatibility issues before your current version reaches end of life.
Is it safe to run Ubuntu 18 in production?
No. Ubuntu 18 has reached end of life and security vulnerabilities are no longer patched. Critically, 3 CVEs affecting Ubuntu 18.x are in the CISA KEV catalog — meaning they are actively exploited in the wild. Upgrade to a supported version immediately.
Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA
