Ubuntu coreutils audit finds 44 Rust security flaws, mostly logic errors

Forty-four security flaws landed in Ubuntu’s Rust coreutils audit, and none of them were the classic memory-corruption bugs Rust is supposed to erase. The problems sat at the syscall boundary instead, in logic errors, TOCTOU races and UTF-8 handling that let correct-looking code make the wrong security decision.

Canonical said Zellic ran the audit in two phases, first from December 2025 to January 2026 on high-priority utilities, then from February 2026 to March 2026 on the rest. Across both rounds, Zellic found 113 issues in total, 73 in the first pass and 40 in the second, and contributed 30 mitigation pull requests upstream. Canonical said the open-source uutils community moved quickly and that the vast majority of findings were addressed and resolved.

The clearest lesson for Rust developers is that memory safety is only one layer of the job. NIST’s vulnerability records for the uutils issues describe an env -S parsing flaw that can break valid command sequences and exit 125, plus an rm preserve-root bypass that hinges on path-string checks instead of inode and device comparison. Other findings hit install, mv, cp, touch and mkfifo with TOCTOU bugs, the kind that appear when a check and the later syscall see different filesystem state.

That matters because Ubuntu has already pushed the project into real packaging decisions, not just benchmark territory. Canonical said any package shipped by default in Ubuntu must be promoted to Ubuntu Main and pass a security review, and that an internal review alone was not enough confidence for an LTS release. Ubuntu 25.10, released on Oct. 9, 2025, was the first Ubuntu release to benefit from memory-safe implementations of coreutils and sudo-rs, and Canonical shipped rust-coreutils there to shake out the edges before the long-term release.

Ubuntu 26.04 LTS, released on Apr. 23, 2026, includes uutils coreutils 0.8.0 and folds in the bulk of the fixes, but cp, mv and rm stayed on GNU coreutils because they still had 8 open TOCTOU issues as of Apr. 22, 2026. Canonical now targets Ubuntu 26.10 for 100% rust-coreutils.

By 26.04, most coreutils replacements had already moved over to uutils, which makes the audit’s headline hard to miss: Rust can shut the door on overflows, but it does not automatically secure the filesystem, the race window or the text parser. That is where the real work still lives.