diff --git a/acceptance-tests/ipv4director/smoke/manifest.yml b/acceptance-tests/ipv4director/smoke/manifest.yml
index e2c88213be..c4aecf03b0 100644
--- a/acceptance-tests/ipv4director/smoke/manifest.yml
+++ b/acceptance-tests/ipv4director/smoke/manifest.yml
@@ -4,6 +4,8 @@ name: stemcell-acceptance-tests
 releases:
 - name: syslog
   version: latest
+- name: bpm
+  version: latest
 
 stemcells:
 - alias: default
@@ -25,6 +27,8 @@ instance_groups:
   - {name: default}
   azs: [z1]
   jobs:
+  - name: bpm
+    release: bpm
   - name: syslog_forwarder
     release: syslog
     properties:
diff --git a/acceptance-tests/ipv4director/smoke/smoke_test.go b/acceptance-tests/ipv4director/smoke/smoke_test.go
index 6a510414b5..93f23a4f26 100644
--- a/acceptance-tests/ipv4director/smoke/smoke_test.go
+++ b/acceptance-tests/ipv4director/smoke/smoke_test.go
@@ -83,7 +83,16 @@ var _ = Describe("Stemcell", func() {
 
 		contents, err := io.ReadAll(tempFile)
 		Expect(err).ToNot(HaveOccurred())
-		Expect(contents).ToNot(ContainSubstring("No such file or directory"))
+
+		// Extract only the offending lines so failures are readable (auth.log can be
+		// hundreds of kilobytes and Gomega truncates the full-content diff).
+		var offending []string
+		for _, line := range strings.Split(string(contents), "\n") {
+			if strings.Contains(line, "No such file or directory") {
+				offending = append(offending, line)
+			}
+		}
+		Expect(offending).To(BeEmpty(), "auth.log contained 'No such file or directory':\n%s", strings.Join(offending, "\n"))
 	})
 
 	It("#141987897: has ipv6 enabled in the kernel", func() {
@@ -96,8 +105,11 @@ var _ = Describe("Stemcell", func() {
 		_, _, exitStatus, err := bosh.Run(
 			"--column=stdout",
 			"ssh", "default/0", "-r", "-c",
-			// sleep to ensure we have multiple samples so average can be verified
-			`sudo /usr/lib/sysstat/sa1 && sudo /usr/lib/sysstat/sa1 1 1 && sleep 2`,
+			// Ubuntu 26.04+ relocated sa1 to /usr/libexec/sysstat/; fall back to the
+			// legacy path for older releases.  sleep ensures multiple samples for the
+			// Average: check.
+			`SA1=$(ls /usr/lib/sysstat/sa1 /usr/libexec/sysstat/sa1 2>/dev/null | head -1) && `+
+				`sudo "$SA1" && sudo "$SA1" 1 1 && sleep 2`,
 		)
 		Expect(err).ToNot(HaveOccurred())
 		Expect(exitStatus).To(Equal(0))
diff --git a/acceptance-tests/ipv4director/syslogrelease/manifest.yml b/acceptance-tests/ipv4director/syslogrelease/manifest.yml
index 68f68df322..ff76e8c99e 100644
--- a/acceptance-tests/ipv4director/syslogrelease/manifest.yml
+++ b/acceptance-tests/ipv4director/syslogrelease/manifest.yml
@@ -4,6 +4,8 @@ name: stemcell-acceptance-tests
 releases:
 - name: syslog
   version: latest
+- name: bpm
+  version: latest
 
 stemcells:
 - alias: default
@@ -40,6 +42,8 @@ instance_groups:
   networks:
   - {name: default}
   jobs:
+  - name: bpm
+    release: bpm
   - name: syslog_forwarder
     release: syslog
     consumes:
diff --git a/acceptance-tests/ipv4director/syslogrelease/smoke_suite_test.go b/acceptance-tests/ipv4director/syslogrelease/smoke_suite_test.go
index 7829a30db4..850aa7550c 100644
--- a/acceptance-tests/ipv4director/syslogrelease/smoke_suite_test.go
+++ b/acceptance-tests/ipv4director/syslogrelease/smoke_suite_test.go
@@ -22,9 +22,11 @@ var _ = BeforeSuite(func() {
 	bosh = testhelpers.NewBOSH()
 	stemcellPath := testhelpers.RequireEnv("STEMCELL_PATH")
 	syslogReleasePath := testhelpers.RequireEnv("SYSLOG_RELEASE_PATH")
+	bpmReleasePath := testhelpers.RequireEnv("BPM_RELEASE_PATH")
 
 	bosh.UploadStemcell(stemcellPath)
 	bosh.UploadRelease(syslogReleasePath)
+	bosh.UploadRelease(bpmReleasePath)
 	bosh.SafeDeploy()
 })
 
diff --git a/acceptance-tests/testhelpers/bosh.go b/acceptance-tests/testhelpers/bosh.go
index fbd397402d..d081015bb4 100644
--- a/acceptance-tests/testhelpers/bosh.go
+++ b/acceptance-tests/testhelpers/bosh.go
@@ -35,7 +35,7 @@ func (b *BOSH) Teardown() {
 	Expect(err).ToNot(HaveOccurred())
 	Expect(exitStatus).To(Equal(0), fmt.Sprintf("stdOut: %s \n stdErr: %s", stdOut, stdErr))
 
-	stdOut, stdErr, exitStatus, err = b.Run("clean-up", "--all")
+	stdOut, stdErr, exitStatus, err = b.Run("clean-up")
 	Expect(err).ToNot(HaveOccurred())
 	Expect(exitStatus).To(Equal(0), fmt.Sprintf("stdOut: %s \n stdErr: %s", stdOut, stdErr))
 }
diff --git a/ci/pipelines/builder.yml b/ci/pipelines/builder.yml
index bfb10a8755..aeb4d30875 100644
--- a/ci/pipelines/builder.yml
+++ b/ci/pipelines/builder.yml
@@ -450,6 +450,7 @@ jobs:
       - get: bosh-linux-stemcell-builder
       - get: bosh-deployment
       - get: syslog-release
+      - get: bpm-release
       - get: os-conf-release
       - get: stemcell
         passed:
@@ -517,6 +518,7 @@ jobs:
 #!      - get: bosh-linux-stemcell-builder
 #!      - get: bosh-deployment
 #!      - get: syslog-release
+#!      - get: bpm-release
 #!      - get: os-conf-release
 #!      - get: stemcell
 #!        passed:
@@ -1098,10 +1100,11 @@ resources:
   type: git
   source:
     branch: (@= data.values.stemcell_details.branch @)
+    uri: https://github.com/cloudfoundry/bosh-linux-stemcell-builder.git
     paths:
       - ci
       - .ruby-version
-    uri: https://github.com/cloudfoundry/bosh-linux-stemcell-builder.git
+      - acceptance-tests
 
 - name: bats
   type: git
@@ -1133,6 +1136,12 @@ resources:
   type: bosh-io-release
   source:
     repository: cloudfoundry/os-conf-release
+
+- name: bpm-release
+  type: bosh-io-release
+  source:
+    repository: cloudfoundry/bpm-release
+
 - name: bosh-deployment
   type: git
   source:
diff --git a/ci/tasks/test-stemcell.sh b/ci/tasks/test-stemcell.sh
index 094e7c6af6..ba50164d6a 100755
--- a/ci/tasks/test-stemcell.sh
+++ b/ci/tasks/test-stemcell.sh
@@ -16,6 +16,7 @@ BOSH_CLIENT_SECRET="$(bosh int "${REPO_PARENT}/director-state/director-creds.yml
 BOSH_ENVIRONMENT="$(bosh int "${REPO_PARENT}/director-state/director-creds.yml" --path /internal_ip)"
 SYSLOG_RELEASE_PATH="$(realpath "${REPO_PARENT}/syslog-release"/*.tgz)"
 OS_CONF_RELEASE_PATH="$(realpath "${REPO_PARENT}/os-conf-release"/*.tgz)"
+BPM_RELEASE_PATH="$(realpath "${REPO_PARENT}/bpm-release"/*.tgz)"
 STEMCELL_PATH="$(realpath "${REPO_PARENT}/stemcell"/*.tgz)"
 # Quote value since the bosh CLI YAML parses it which results in `0.40` becoming `0.4`
 # shellcheck disable=SC2089
@@ -28,6 +29,7 @@ export BOSH_CLIENT_SECRET
 export BOSH_ENVIRONMENT
 export SYSLOG_RELEASE_PATH
 export OS_CONF_RELEASE_PATH
+export BPM_RELEASE_PATH
 export STEMCELL_PATH
 export BOSH_stemcell_version
 
diff --git a/ci/tasks/test-stemcell.yml b/ci/tasks/test-stemcell.yml
index c1c26e398c..2384206ebe 100644
--- a/ci/tasks/test-stemcell.yml
+++ b/ci/tasks/test-stemcell.yml
@@ -7,6 +7,7 @@ inputs:
 - name: stemcell
 - name: syslog-release
 - name: os-conf-release
+- name: bpm-release
 - name: director-state
 
 params:
diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
index 07f51ea965..f04bc3f6da 100644
--- a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
+++ b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,12 +1,12 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">182693503ed5d20dd8f1e20354eb83f7bf9c98abf50a2dc773cd8e46c3377c9b2f1d5d1538e62c7f2fcaff793377100a6041af5008b960ace8f2b3fd734f9631</hash>
-    <hash type="sha-256">2d2671e2bc08313f25275db13745b84b49bda65a983480dac5c1f636b98cfe50</hash>
-    <hash type="sha-1">687ab8e8f8a229c4c354be66d2d6566d38e3ad8b</hash>
-    <hash type="md5">9b8ef49de155059b700197509e1f2421</hash>
-    <size>435215809</size>
+    <hash type="sha-512">31dea7af0f628a67ab91ebbe4005d0b89873b9aa7560a722b5665dc418a30dc0220241782b826ac0d5c45d369c7e9401e5f90afb6a2cd54d2300e86be1c77812</hash>
+    <hash type="sha-256">480707f5a3eff94e8668fdffceccc3d135b6999ff9f14e21cd8b5dfd2d7d63c2</hash>
+    <hash type="sha-1">84a9075825fce098b1fba916c4862556a16588d0</hash>
+    <hash type="md5">ab7f1a3bea00723d2522362d6931a003</hash>
+    <size>435213458</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1104.0.0</version>
+    <version>1105.0.0</version>
   </file>
   <file name="usn-log.json">
     <hash type="sha-512">be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09</hash>
@@ -15,8 +15,8 @@
     <hash type="md5">68b329da9893e34099c7d8ad5cb9c940</hash>
     <size>1</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1104.0.0</version>
+    <version>1105.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-18T18:21:28.865309981Z</published>
+  <published>2026-06-18T22:29:21.024149406Z</published>
 </metalink>
diff --git a/stemcell_builder/stages/password_policies/apply.sh b/stemcell_builder/stages/password_policies/apply.sh
index bf9753b841..86e78dde3d 100755
--- a/stemcell_builder/stages/password_policies/apply.sh
+++ b/stemcell_builder/stages/password_policies/apply.sh
@@ -33,6 +33,16 @@ patch -p1 $chroot/etc/pam.d/common-auth < $assets_dir/ubuntu/common-auth.patch
 strip_trailing_whitespace_from $chroot/etc/pam.d/common-password
 patch -p1 $chroot/etc/pam.d/common-password < $assets_dir/ubuntu/common-password.patch
 
+# libpam-lastlog2 installs pam_lastlog2.so only to the multiarch path
+# (/usr/lib/x86_64-linux-gnu/security/) but PAM's securedir is /usr/lib/security/.
+# Bridge the gap so PAM can load the module referenced above.
+if [ -f "$chroot/usr/lib/x86_64-linux-gnu/security/pam_lastlog2.so" ] && \
+   [ ! -e "$chroot/usr/lib/security/pam_lastlog2.so" ]; then
+  mkdir -p "$chroot/usr/lib/security"
+  ln -sf /usr/lib/x86_64-linux-gnu/security/pam_lastlog2.so \
+      "$chroot/usr/lib/security/pam_lastlog2.so"
+fi
+
 strip_trailing_whitespace_from $chroot/etc/pam.d/login
 patch $chroot/etc/pam.d/login < $assets_dir/ubuntu/login.patch