Rust memory safety is about life and death, essay argues
Joshua Liebow-Feeser argues Rust’s memory safety matters because memory bugs can drive surveillance, device takeover, and abuse, not just crashes.

Rust’s memory-safety pitch usually gets sold as cleaner code and fewer bugs. Joshua Liebow-Feeser’s June 2 essay pushed that argument into harsher territory: a buffer overflow is not just a technical flaw when the software sits on a phone, in a safety-critical system, or anywhere a breach can become surveillance, takeover, or physical harm.
That framing lands because the numbers behind the familiar Rust argument have not changed much. Microsoft has said memory-safety problems have represented almost the same share of CVEs for more than a decade, and Microsoft Research later said about 70% of the security bugs it fixes and assigns CVEs each year are memory-safety issues. Google has made a similar case through Google Bug Hunters and Google Project Zero, saying memory-safety bugs drive the majority, around 70%, of severe vulnerabilities in large C and C++ code bases. Google also pointed to 39 of 58 in-the-wild zero-days in 2021 as memory-corruption vulnerabilities.

The essay does not overturn that evidence so much as sharpen its meaning. Its strongest move is to pull memory safety out of the usual developer-ergonomics debate and place it beside real-world abuse, the kind of failure mode where compromised phones and vulnerable systems become tools for harm. That is the practical question Rust developers keep circling: not whether Rust eliminates every bug, but whether it changes the risk profile enough to matter in code that handles untrusted input, runs on devices people depend on, or sits close to infrastructure.
CISA has been making that same shift in public. The agency says malicious actors have exploited memory-safety vulnerabilities for more than half a century, and its December 2023 recommendations said memory safety accounts for approximately 70% of reported security issues, while 2021 set a record with 88 public zero-day exploits, the majority tied to memory safety. In June 2024, CISA and partners released guidance on exploring memory safety in critical open source projects, warning that successful exploitation can let adversaries take control of software, systems, and data.
Android’s own security documentation adds the reliability angle that Rust debates often miss. It says memory-safety bugs are the most common issue in its native codebases, account for over 60% of high-severity security vulnerabilities, and are linked to millions of user-visible crashes. CISA’s June 24, 2025 guidance went even further, saying memory-safe languages offer the most comprehensive mitigation against memory-safety vulnerabilities.
That is why Liebow-Feeser’s essay feels less like a new Rust manifesto than a more urgent translation of an old one. The familiar argument is still there, but now it is framed the way the next breach would be felt: not as a patch note, but as a person on the other end of the software.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


