Overview

If you are still relying on Ubuntu 16.04 LTS (Xenial Xerus) in production or as a daily driver, time has run out for free security patches. The standard five years of support ended in April 2021, and the Extended Security Maintenance (ESM) period—provided through an Ubuntu Pro subscription—concluded in April 2026. This means your system is now exposed to unpatched vulnerabilities, making it a prime target for attackers. The good news is that you have two clear paths forward: upgrade to a supported release or pay for continued security coverage via Ubuntu Pro. This guide walks you through both options, explains the prerequisites, provides step-by-step instructions with code examples, and highlights common pitfalls to avoid.

Prerequisites

Before you begin, ensure you have the following:

• Root or sudo access to the system
• A full system backup – Use tools like rsync, dd, or a VM snapshot. This is critical because upgrades can occasionally fail.
• Stable internet connection – All methods require downloading packages.
• Enough free disk space – At least 5 GB free for the upgrade process; more if you are keeping package caches.
• List of critical services – Note any custom configurations, databases, or web applications that might need reconfiguration after an upgrade.

Step-by-Step Instructions

Option 1: Upgrading to a Supported LTS Release

The most straightforward and recommended approach is to upgrade to a newer LTS. However, Ubuntu 16.04 cannot jump directly to 18.04 or 20.04; you must go step by step. Here is the upgrade chain:

• Upgrade from 16.04 LTS to 18.04 LTS
• Upgrade from 18.04 LTS to 20.04 LTS
• (Optional) Upgrade from 20.04 LTS to 22.04 LTS or 24.04 LTS

Step 1: Prepare the System

1. Update your current packages:

sudo apt update
sudo apt upgrade -y
sudo apt dist-upgrade -y
sudo apt autoremove -y

2. Remove obsolete packages:

sudo apt-get install update-manager-core
sudo do-release-upgrade --check-dist-upgrade-only

Step 2: Upgrade from 16.04 to 18.04 LTS

1. Edit the release upgrade configuration to allow upgrades from LTS to LTS (if not already set):

sudo sed -i 's/Prompt=never/Prompt=lts/g' /etc/update-manager/release-upgrades

2. Launch the upgrade tool:

sudo do-release-upgrade -d

(Using -d ensures the tool checks for the latest LTS even if it is in development.)

3. Follow the on-screen prompts. The process will take 30–60 minutes. Do not interrupt it. After completion, reboot:

sudo reboot

4. Verify the new release:

lsb_release -a

Step 3: Upgrade from 18.04 to 20.04 LTS

Repeat the same procedure on the upgraded 18.04 system:

1. Update packages again:

sudo apt update && sudo apt upgrade -y

2. Run the release upgrade:

sudo do-release-upgrade -d

3. Reboot and verify.

Step 4: (Optional) Upgrade to a Later LTS

If you want to go further, repeat the process to reach 22.04 or 24.04. Note that direct upgrades from 20.04 to 24.04 are supported, but it is safer to go stepwise (20.04 → 22.04 → 24.04).

Option 2: Subscribe to Ubuntu Pro for Extended Security Maintenance

If you cannot upgrade due to legacy applications or compatibility constraints, you can enable Ubuntu Pro to receive ESM updates until the ESM period ends (already ended in April 2026, so this option is only valid if you already have a subscription or if Canonical offers extended support for very high-tier customers). For completeness, here are the steps to enable it:

1. Obtain an Ubuntu Pro token from ubuntu.com/pro. Free personal tokens are available for up to 5 machines.
2. Attach the token:

sudo ua attach <your_token>

3. Enable the ESM service:

sudo ua enable esm

4. Update your package list and install any outstanding security patches:

sudo apt update && sudo apt upgrade -y

5. Verify that ESM is active:

sudo ua status

With ESM enabled, your 16.04 system will continue to receive critical security updates until the subscription expiry. However, as of April 2026, standard ESM has ended; only enterprise-level extended contracts may still provide patches. Check your specific contract.

Common Mistakes

• Skipping a release upgrade in the chain – Attempting to upgrade directly from 16.04 to 20.04 (or later) will fail. The do-release-upgrade tool forces incremental upgrades.
• Not backing up before upgrades – Even though upgrades are designed to preserve data, power failures or package conflicts can corrupt your system. Always have a backup.
• Ignoring warning messages during upgrade – The upgrade process often asks about configuration file changes. Blindly accepting defaults may overwrite your customizations.
• Running unsupported third-party repositories – After an upgrade, legacy PPAs may be incompatible and cause dependency issues. Disable them beforehand (sudo add-apt-repository --remove ppa:name).
• Forgetting to update kernel and hardware enablement stack – Some older hardware drivers may not work with newer kernels. Check for HWE kernel updates after each major upgrade.
• Assuming ESM covers all packages – ESM only covers the main repository universe for high- and critical-severity CVEs. Community-maintained packages (universe) may not be patched.

Summary

Ubuntu 16.04 LTS security support has ended, leaving your system vulnerable. The recommended solution is to upgrade through the LTS chain (16.04 → 18.04 → 20.04 → 22.04 or 24.04). This process requires careful preparation, backups, and patience. Alternatively, if you have a valid Ubuntu Pro subscription, you can enable ESM to receive security patches for a limited time, but note that the general ESM period has already expired. Both methods are covered in this guide with explicit commands. Regardless of the path you choose, do not delay: an unpatched system is a security risk. Plan the transition today and ensure your Ubuntu environment remains secure.