What 44 CVEs Tell You About Rust's Safety Boundary (opens in new tab)

In April 2026, Canonical disclosed 44 CVEs in uutils, the Rust reimplementation of GNU coreutils that has been the default in Ubuntu since 25.10. The disclosures came out of an external audit commissioned ahead of the 26.04 LTS release. Most of the bugs were found by code review of a single Rust codebase. None of them were caught by the borrow checker, by clippy lints, or by cargo audit. The audit is the sharpest case study available for what Rust catches and what it doesn't. The most useful ...