Rust safety ends at logic bugs, Canonical audit reveals 44 CVEs

Rust kept memory corruption off the front page, but Canonical’s uutils audit still landed with a hard number: 44 CVEs. In his April 29 essay, Matthias Endler used that disclosure to make the point system programmers keep relearning the hard way, Rust protects you from a lot of memory bugs, but it does not save you from logic mistakes, race conditions, or privilege-escalation flaws.

The backdrop matters. Ubuntu 25.10, shipped in October 2025, was the first major Linux distribution release to adopt uutils coreutils by default, and Canonical had already said the Rust rewrite was being lined up as the new default for that cycle, with the option to revert if needed. The audit was commissioned ahead of Ubuntu 26.04 LTS, the April 2026 long-term-support release the migration is targeting, so this was never a toy exercise. Canonical’s own security messaging said the interim release was laying groundwork for that LTS path.

Endler’s sharpest example was a TOCTOU bug, the classic check-then-act race that Rust’s borrow checker does not touch. In the simplified install() flow he walked through, a program unlinks a destination and then recreates it. That looks tidy in source code and still fails in the real world if an attacker can slip a symlink or other path change into the gap between syscalls. The safer shape is to ask the filesystem to create the file only if it does not already exist, using create_new(true), instead of doing a remove-then-recreate dance.

That is the practical mental model Endler pushes: after borrow checking is done, the remaining risk lives in input validation, filesystem semantics, invariants, and adversarial timing. Canonical’s audit findings showed that clearly enough. Ubuntu Security tracked a uutils dd error-handling issue under CVE-2026-35344, while GitHub advisories flagged an install TOCTOU race caused by unlink-then-recreate without O_EXCL and an rm safeguard bypass tied to equivalent paths with trailing slashes.

The broader message is not that Rust failed. It is that Rust did exactly what it promised and no more. Canonical’s April 22 update thanked Zellic, Sylvestre Ledru, and the uutils community, and said the audit made the company confident shipping rust-coreutils in an LTS release. But Ubuntu 26.04 LTS still keeps GNU coreutils for tools such as cp, mv, and rm while the Rust replacements harden. That is the real lesson for anyone building system software in Rust: memory safety is the floor, not the finish line.