Bugs Rust won't catch

Canonical revealed 44 security vulnerabilities in uutils, the Rust-based reimplementation of GNU coreutils included in Ubuntu 25.10, following an external audit conducted ahead of the 26.04 LTS release. These bugs, all present in production Rust code, were not detected by common Rust tooling such as clippy lints or cargo audit. The findings highlight important limitations in Rust’s safety guarantees when applied to systems programming, particularly in handling filesystem operations securely. A significant cluster of the vulnerabilities stemmed from a common pattern involving the use of multiple syscalls on file paths, which introduced race conditions exploitable by attackers with write access to parent directories. Specifically, operations that first check a path and then act on it can be tricked by symbolic link swaps between calls, leading to unauthorized file overwrites or deletions. This issue is exacerbated by Rust’s standard library APIs, which typically re-resolve paths on each call rather than operating relative to open file descriptors, making it easy to inadvertently introduce security flaws in privileged tools. One illustrative example is CVE-2026-35355, where a privileged process removes a file and then creates a new one at the same path. Between these steps, an attacker can replace the target with a symlink to a sensitive file such as /etc/shadow, causing the privileged process to overwrite critical system files. The recommended fix involves using Rust’s OpenOptions with create_new set to true, ensuring that the file creation fails if the target path already exists or is a symlink, thereby preventing the race condition. These audit results underscore the challenges of writing secure systems code in Rust despite its reputation for safety. They also explain why core utilities like cp, mv, and rm remain GNU implementations rather than being replaced by Rust versions in Ubuntu 26.04 LTS. The detailed disclosure by the uutils team and insights from Canonical’s engineering leadership provide valuable lessons for developers aiming to leverage Rust in security-sensitive environments.