Canonical disclosed 44 CVEs in uutils, a Rust reimplementation of GNU coreutils shipping with Ubuntu since 25.10. None were caught by Rust's borrow checker, clippy, or cargo audit—revealing critical gaps in Rust's safety model for privilege-sensitive systems code. The vulnerabilities cluster around TOCTOU race conditions, symlink attacks, and UTF-8 handling, forcing Ubuntu 26.04 LTS to retain GNU versions of cp, mv, and rm.
Safety
Bugs Rust won't catch
Canonical discovered 44 CVEs in Rust's uutils that bypassed Rust's entire safety model, proving the borrow checker can't prevent privilege-sensitive systems bugs like TOCTOU and symlink attacks—forcing Ubuntu 26.04 LTS to revert to GNU coreutils.
Wednesday, April 29, 2026 12:00 PM UTC2 MIN READSOURCE: Hacker NewsBY sys://pipeline
Tags
safety