Bugs Rust Won't Catch
A 2026 security audit of uutils, a Rust reimplementation of GNU coreutils, uncovered 44 CVEs despite Rust's safety guarantees, revealing critical bugs related to TOCTOU races, incorrect path handling, UTF-8 assumptions, and improper error propagation. These issues highlight gaps in Rust's protection when building secure, privileged Unix tools. The bugs affected fundamental utilities like chmod, cp, and sort, leading Ubuntu to retain GNU coreutils for critical operations. The findings emphasize that Rust’s memory safety does not eliminate logic or security flaws in systems programming.
- ▪The uutils project, a Rust rewrite of GNU coreutils, had 44 CVEs disclosed in April 2026 following an external audit commissioned by Canonical.
- ▪Many bugs involved TOCTOU races due to repeated path resolution across syscalls, which Rust’s borrow checker and lints did not catch.
- ▪Incorrect UTF-8 assumptions in tools like comm and sort led to data corruption or denial-of-service when handling non-UTF-8 byte sequences.
- ▪Several utilities failed to match GNU behavior exactly, leading to dangerous deviations such as kill -1 terminating all processes instead of requesting a PID.
- ▪Best practices highlighted include using file descriptors for path anchoring, setting permissions at creation, staying in bytes at Unix boundaries, and treating panics as security vulnerabilities.
Opening excerpt (first ~120 words) tap to expand
Idiomatic Rust Bugs Rust Won't Catch by Matthias Endler Published: 2026-04-29 In April 2026, Canonical disclosed 44 CVEs in uutils, the Rust reimplementation of GNU coreutils that ships by default since 25.10. Most of them came out of an external audit commissioned ahead of the 26.04 LTS. I read through the list and thought there’s a lot to learn from it. What’s notable is that all of these bugs landed in a production Rust codebase, written by people who knew what they were doing, and none of them were caught by the borrow checker, clippy lints, or cargo audit. I’m not writing this to criticize the uutils team. Quite the contrary; I actually want to thank them for sharing the audit results in such detail so that we can all learn from them.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Corrode Rust Consulting.
Discussion
0 commentsMore from Corrode Rust Consulting
