uutils 0.9 hardens Rust coreutils after audit finds severe bugs

The Rust rewrite of GNU coreutils just took a hard look in the mirror, and the reflection was not flattering. uutils 0.9 landed with security hardening and zero-copy I/O work, but it followed an external audit that found 113 issues and left the project wrestling with a blunt question: is Rust coreutils getting safer and more production-ready, or moving faster than its current quality bar can support?

Ubuntu commissioned Zellic to audit rust-coreutils in two phases, first from December 2025 to January 2026 and then from February 2026 to March 2026. Across both rounds, Zellic identified 113 issues of varying severity and contributed 30 mitigation pull requests upstream. That audit pressure fed directly into the release cadence around uutils 0.9, which aims to make the Rust implementation sturdier while still chasing the speed and system-level wins that have made it attractive in the first place.

The stakes are already visible inside Ubuntu. On April 22, 2026, Canonical said it had included rust-coreutils 0.8.0 in Ubuntu 26.04, but it kept GNU coreutils for cp, mv, and rm because unresolved TOCTOU issues were still too risky to ignore. The company’s target is 100% rust-coreutils in Ubuntu 26.10, which makes each upstream release less of a hobby-project milestone and more of a migration checkpoint for a major Linux distribution.

The security fallout widened further on May 1, 2026, when GNU coreutils committer Collin Funk said 44 of the 113 audit findings had been assigned CVEs. Funk singled out concrete bugs in uutils 0.8.0, including mkfifo permissions races, nohup creating world-writable nohup.out files, and a tail symlink-following issue. Those are the kinds of failures that change how maintainers talk about readiness, especially when the project is positioning itself as a drop-in replacement for GNU coreutils on non-GNU platforms.

That tension shows up in the numbers too. The 0.8.0 release reported 630 passing GNU test-suite cases out of 665 total, with 23 failures, and the latest 0.9 update brings test coverage down to 90.5% with more failing cases still in the mix. Even so, the project has kept pushing the lower-level stack forward, including its migration from nix to rustix to reduce unsafe code and improve syscall safety, alongside performance work that earlier release notes tied to faster dd, ls, sort, wc and cat.

uutils has always sold itself as a production-ready replacement, and the 0.9 release shows why that claim is still both promising and fragile. The audit did not slow the momentum; it made the tradeoff impossible to miss.