June 15, 2026
Null pointer, full drama
Memory safety CVEs differ between Rust and C/C++
Rust vs C security fight turns into a full-blown comments-section cage match
TLDR: The article argues that comparing security report counts between Rust and C/C++ can be misleading because risky memory bugs are treated differently in each world. Commenters instantly split into camps: Rust skeptics said it’s no miracle cure, while fans said older languages are clearly losing ground.
This tech debate started with a simple question: can you judge a programming language by counting its security reports? The article says not so fast. Its big point is that Rust and C/C++ often get blamed differently for the same class of nasty bugs—especially the kind that can crash software or be used by attackers. The writer uses the famous internet plumbing tool curl as the example: in C, a tiny bad input can make a program fall over, but that doesn’t automatically become a scandalous security report. In Rust, the conversation around those risks works differently, and that difference is exactly what people online keep flattening into lazy “gotcha” charts.
And wow, the comments did not come to play nice. One camp basically yelled, “Rust is not magic,” pointing out that bad behavior can still happen through loopholes, low-level code, or buggy dependencies. Another camp fired back with the vibe of, “Cool story, but C and C++ are still getting dunked on in real projects,” name-dropping Ladybird switching major pieces to Rust like it was a mic drop. Then came the spicy contrarian who claimed memory bugs are a tiny slice of normal people’s problems and that Rust’s famous safety rules add “nothing” for most developers—an instant comments-section flare-up. Best mini-drama of all? Two replies immediately pounced on a technical aside with the digital equivalent of “citation needed, bestie.” In other words: the article was about software safety, but the real spectacle was the community turning it into a philosophy brawl.
Key Points
- •The article focuses on memory-unsafety-related CVEs and argues that comparing raw CVE counts between Rust and C/C++ can miss important differences in reporting and interpretation.
- •It states that Rust can still have undefined behavior and memory-unsafety bugs, typically involving `unsafe`, and can also contain ordinary non-memory-related vulnerabilities.
- •The author argues that a key difference between Rust and C/C++ lies in how potential memory-safety vulnerabilities are treated, especially in libraries.
- •curl and libcurl are used as the main example because they are widely used and well maintained within the C ecosystem.
- •A minimal C program calling `curl_getenv(NULL)` can compile without warnings and may segfault at runtime, illustrating potential memory-unsafe behavior from invalid inputs.