Ubuntu’s Rust coreutils face race condition scrutiny after security audit

Security expert lcamtuf drew attention to an advisory trail showing race conditions in uutils, the Rust rewrite of GNU coreutils, and that immediately sharpened the question Ubuntu now has to answer: a memory-safe language does not automatically deliver a secure filesystem toolchain. The bugs were not theoretical. They landed in utilities that live and die by careful handling of paths, file descriptors, and timing.

Ubuntu had already committed to the rewrite in March 2025, saying it wanted uutils’ coreutils to become the default in Ubuntu 25.10, with Ubuntu 26.04 LTS as the longer-term goal if conditions were right. Canonical framed the move around resilience, safety, and maintainability, not raw speed. That caution matters because coreutils is an Essential package in Ubuntu, which means the replacement has to work at the most awkward point in the system’s life cycle, when it is merely unpacked and cannot lean easily on alternatives or diversions.

That operational risk is exactly why Ubuntu commissioned an independent audit from Zellic after an internal review surfaced serious concerns. The audit ran in two phases, from December 2025 to January 2026 and again from February 2026 to March 2026, and identified 113 issues in total, 73 in the first round and 40 in the second. During phase two, Zellic submitted 30 mitigations upstream as pull requests, and Ubuntu said the uutils community responded quickly enough that most findings were addressed. Sylvestre Ledru and the wider contributor set were credited for that turnaround.

The issue list showed a pattern, not a single bad edge case. Advisories published on April 22 and April 23, 2026 covered touch, install, mkfifo, chcon, ln, mv, cp, sort, dd, chmod, cut, and more. The concrete examples read like a checklist of classic Unix race hazards: touch was vulnerable to a TOCTOU race during file creation, install could unlink a destination and recreate it without O_EXCL, mkfifo did a path-based chmod after creation, mv raced during cross-device operations, and chcon used fresh path lookups during recursive operations. That is the old hardening story all over again, only now it is being relearned in Rust.

Ubuntu 26.04 LTS includes rust-coreutils 0.8.0, but cp, mv, and rm are still GNU coreutils in that release because eight TOCTOU issues remained open as of April 22, 2026. Ubuntu’s next target is Ubuntu 26.10 for a full rust-coreutils switch. For Rust’s biggest systems rewrite projects, that is the real lesson from this audit: memory safety can remove one entire class of bugs, but it does not absolve a project from the adversarial edge cases that make core operating system utilities hard.