What 44 CVEs Tell You About Rust's Safety Boundary
Canonical disclosed 44 CVEs in uutils, a Rust reimplementation of GNU coreutils, following an external audit. The audit revealed that many bugs were not caught by Rust's safety features, highlighting limitations in the language's type system. Matthias Endler's analysis categorizes these vulnerabilities and discusses the implications for Rust's safety guarantees.
- ▪The 44 CVEs were disclosed in April 2026 as part of an audit ahead of the 26.04 LTS release of Ubuntu.
- ▪Most vulnerabilities were identified through code review, with none detected by Rust's borrow checker or other safety tools.
- ▪The largest cluster of issues involved Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities related to path operations.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3906866) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Arthur Posted on May 19 • Originally published at pickles.news What 44 CVEs Tell You About Rust's Safety Boundary #rust #security #cve #coreutils In April 2026, Canonical disclosed 44 CVEs in uutils, the Rust reimplementation of GNU coreutils that has been the default in Ubuntu since 25.10. The disclosures came out of an external audit commissioned ahead of the 26.04 LTS release. Most of the bugs were found by code review of a single Rust codebase.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).