April 28, 2026
Safe language, unsafe vibes
Bugs Rust Won't Catch
Rust promised fewer disasters, but commenters say old-school bugs still crashed the party
TLDR: Canonical disclosed 44 flaws in its Rust-based Linux tools, showing that Rust’s built-in protections didn’t stop a wave of real-world security mistakes. Commenters split between blaming Rust’s awkward file APIs and blasting the rewrite as a classic case of replacing battle-tested software without carrying over decades of hard-earned lessons.
Rust, the programming language with a near-mythic reputation for preventing nasty mistakes, just got a very public reality check. Canonical revealed 44 security flaws in uutils, the Rust-based replacement for classic Linux command-line tools, and the comment section instantly turned into a courtroom, roast battle, and group therapy session all at once. The biggest gasp? These bugs weren’t caught by Rust’s famous safety features, and some were serious enough that Ubuntu is still sticking with the older GNU versions of tools like copy, move, and delete for its next long-term release.
The community reaction was spicy. One camp basically said: “This isn’t Rust failing, it’s people not knowing the deep, old-school traps of Unix,” with one commenter bluntly calling many mistakes “exceedingly amateur.” Ouch. Another crowd used the moment to dunk on rewrites in general, arguing that old software carries years of hard-won lessons that don’t magically transfer just because you rebuild it in a shinier language. A maintainer from GNU Coreutils even chimed in, politely but pointedly, to say Rust’s file-handling tools make these timing bugs too easy to write.
And that’s where the drama really landed: not “Rust bad,” but “Rust isn’t a magic force field.” The jokes practically wrote themselves—developers discovering that memory safety doesn’t mean mistake safety, and that “safe” can still come with a side of chaos. For commenters, this wasn’t just a bug story; it was a full-on reality check for anyone treating a trendy language like a silver bullet.
Key Points
- •Canonical disclosed 44 CVEs in the Rust-based uutils package in April 2026, most originating from an external audit conducted before Ubuntu 26.04 LTS.
- •The article says the vulnerabilities were found in production Rust code and were not detected by the borrow checker, Clippy, or cargo audit.
- •A major class of issues involved TOCTOU path races, where separate filesystem syscalls on the same pathname could be exploited via symlink substitution.
- •The article states that this bug cluster is why `cp`, `mv`, and `rm` remained GNU implementations in Ubuntu 26.04 LTS.
- •It recommends safer Unix filesystem patterns such as using `create_new`, operating relative to file descriptors, and creating files or directories with correct permissions from the start.