Fedora Hummingbird Launches as Rolling OS with Zero-CVE Container Approach

Red Hat Unveils Fedora Hummingbird: A Rolling Distribution Built on Distroless Principles

BOSTON, MA – June 2026 – At Red Hat Summit 2026, Red Hat announced Fedora Hummingbird, a new container-based rolling Fedora Linux distribution that extends the zero-CVE approach of Project Hummingbird from container images to the entire operating system. The distribution provides immediate access to the latest upstream software, ensuring both security and currency.

Fedora Hummingbird Launches as Rolling OS with Zero-CVE Container Approach — Source: fedoramagazine.org

Key Details

Fedora Hummingbird uses an image-based workflow similar to containers but runs natively on virtual machines and bare metal. It leverages the hardened, distroless image model developed by Project Hummingbird, applying it to the host OS. The foundation is already available from the Hummingbird containers repository and can be booted today.

“What we’ve done is take the Hummingbird container philosophy—minimal, patched, and always current—and bring it to the full operating system,” said Sarah Chen, lead architect for Project Hummingbird at Red Hat. “This means developers get a host OS that inherits the same zero-CVE promise as our container images.”

Background

Project Hummingbird was launched eight months ago with the goal of achieving near-zero CVE reports in every container image it ships. The team made architectural decisions—distroless images, minimal package footprints, hermetic builds, and aggressive pipeline automation—to serve that goal. Distroless images contain no package manager or shell, only the application and its runtime essentials.

“When you pull a third-party image, you inherit its vulnerabilities and are responsible for patching,” explained Mike O’Brien, security lead for the project. “With Hummingbird, our pipeline automatically triages, patches, and rebuilds. You skip the CVE nightmare.”

To date, the project has built a catalog of 49 unique minimal, hardened, distroless container images (157 variants including FIPS and multi-arch) covering Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, nginx, and more. Current CVE status is published live at the Hummingbird catalog.

How It’s Built

The pipeline uses Konflux for fully isolated, reproducible builds from pinned package lists. Incremental updates are handled by chunkah, a custom tool that downloads only changed image parts. Continuous vulnerability scanning uses Syft and Grype. When a vulnerability is patched upstream, the pipeline detects it, rebuilds, tests, and ships.

More than 95% of packages in every Hummingbird image come directly from Fedora Rawhide, unmodified. The remaining packages are pulled from upstream when Rawhide doesn’t carry them or isn’t recent enough, and the team contributes changes back to Fedora. This approach is similar to Fedora CoreOS but serves a different use case—CoreOS is minimal for orchestrated workloads, while Hummingbird targets immediate developer access.

What This Means

For developers, Fedora Hummingbird eliminates the traditional security overhead of managing a host OS. The rolling update model delivers software as soon as it’s available upstream, while the automated pipeline ensures that every update is already patched against known vulnerabilities.

Enterprises benefit from a host OS that stays continuously secure without manual intervention. The image-based workflow also simplifies rollback and reproducibility. “This is a paradigm shift for OS delivery,” said Chen. “You get the agility of rolling releases with the security posture of a hardened, immutable system.”

The immediate availability from the Hummingbird repository means developers can test the model today. Full support and tooling are expected to expand over the coming months as the project matures toward general availability.

Looking Ahead

Red Hat plans to integrate Fedora Hummingbird with its broader ecosystem, including container orchestration and edge computing. The project’s live CVE status dashboard and open-source pipeline will allow the community to verify and contribute.

“We’re inviting the community to pull, boot, and break it,” O’Brien added. “That’s how we’ll get to zero CVE not just in theory, but in practice.”