Fedora Hummingbird: A Rolling, CVE-Free Linux Distribution Built on Project Hummingbird
Introduction
At Red Hat Summit 2026, the Red Hat team unveiled Fedora Hummingbird—a new rolling release distribution of Fedora Linux that uses a container-inspired image-based workflow. Designed to deliver the latest software as soon as it becomes available upstream, Fedora Hummingbird aims to keep systems both up to date and secure by relying on the foundation laid by Project Hummingbird. This operating system runs not only in containers but also in virtual machines and directly on bare metal, extending the container model all the way down to the host OS.
The distribution builds on existing work from Project Hummingbird on container images and from Project Bluefin on the operating system. Much of this technology is already available today from the Hummingbird containers repository; users can pull and boot Fedora Hummingbird right now.
What Is Fedora Hummingbird?
Fedora Hummingbird is a container-based, rolling Fedora Linux distribution. Its primary workflow is image-based—similar to how container images are built and deployed—making it easy to update, revert, and manage. Because it follows a rolling release model, software is continuously refreshed from upstream sources, ensuring that the system always runs the newest versions.
How It Works
Unlike traditional operating systems that rely on package managers and manual updates, Fedora Hummingbird uses the same image-based techniques that Project Hummingbird perfected for containers. The entire OS image is built, tested, and shipped as a single unit. This approach simplifies updates: users pull a fresh image and reboot to apply changes, much like updating a containerized application. The system can be deployed in virtual machines, on bare metal, or as part of a container runtime environment.
The Philosophy Behind Project Hummingbird
The central goal of Project Hummingbird is to achieve—and continuously maintain—zero CVE reports in every container image it ships. Every architectural decision, from distroless images and minimal package footprints to hermetic builds and pipeline automation, serves this objective. Distroless images contain only the application and its strict runtime dependencies, eliminating package managers, shells, and other non-essential components.
Why Distroless Matters
When you pull a third-party container image today, you inherit all its vulnerabilities and become responsible for managing them. With Hummingbird images, the pipeline performs all CVE triage, patching, and rebuilding before the image is released. Users skip the hassle of vulnerability management. Current CVE status for all images and variants is published live in the Hummingbird catalog, providing transparency and trust.
Over the past eight months, the Hummingbird team has built a catalog of 49 unique minimal, hardened, distroless container images—that’s 157 variants including FIPS and multi-architecture versions. These cover languages and runtimes such as Python, Go, Node.js, Rust, Ruby, OpenJDK, .NET, PostgreSQL, nginx, and many more.
Technical Architecture
The infrastructure that powers Fedora Hummingbird is based on a Konflux pipeline, which ensures fully isolated, reproducible builds from pinned package lists. The team also developed a tool called chunkah to enable efficient incremental updates: when an image changes, only the altered parts are re-downloaded. Continuous vulnerability scanning using Syft and Grype catches any new flaws, and when an upstream patch appears, the pipeline automatically rebuilds, tests, and ships the updated image.
Package Sourcing
More than 95% of the packages in every Hummingbird image come directly from Fedora Rawhide, unmodified. The remaining packages are pulled from upstream when Rawhide doesn’t yet carry them or isn’t new enough. The team actively contributes these changes back to Fedora, strengthening the ecosystem. This approach is comparable to Fedora CoreOS, but CoreOS is designed for minimal host systems running orchestrated workloads, whereas Hummingbird focuses on providing a full, container-native operating system.
Current Status and Next Steps
Fedora Hummingbird is already available for testing. The core images from Project Hummingbird can be pulled and booted today, and the full OS distribution is expected to follow a rapid release cadence. With its rolling nature and emphasis on security, Fedora Hummingbird represents a significant step forward in making container-grade reliability available to the entire operating system.
As the project evolves, the team plans to expand the image catalog further, enhance the pipeline automation, and integrate more deeply with Fedora’s infrastructure. For now, developers and operators can experience a system that stays continuously updated and virtually CVE-free, without the traditional burden of patch management.