- Canonical discloses 44 CVEs in uutils Rust coreutils.
- Ubuntu 25.10 ships vulnerable uutils by default.
- CVE-2026-35355 triggers 000 permissions via races.
Canonical discloses 44 CVEs in uutils coreutils, exposing bugs Rust won't catch. Per Canonical security advisory USN-7123-1 dated October 15, 2025, these flaws hit Ubuntu 25.10, which ships uutils by default. Ubuntu 26.04 LTS mandates external audits to resolve them.
uutils reimplements GNU coreutils in Rust for enhanced safety and speed on Linux distributions like Ubuntu. Jon Seager, Canonical's VP of Engineering for Ubuntu, oversees security responses. Key flaws target install.rs (CVE-2026-35355) and rm (CVE-2026-35363). PC builders face risks in file operations during hardware optimization and custom installs.
Rust Type System Misses Logic Bugs
Rust's ownership and borrow checker catch memory errors at compile time. They prevent buffer overflows common in C-based GNU coreutils. The uutils GitHub repository confirms Rust's cross-platform goals.
std::fs::OpenOptions::create_new assumes no pre-existing files or symlinks. Real filesystems enable time-of-check-to-time-of-use (TOCTOU) races. Rust detects these only at runtime, per the Rust standard library documentation.
CVE-2026-35355 mishandles Permissions::from_mode(0o700). Attackers exploit chmod -R 000. This logic error sets 000 modes, corrupting PC install scripts for drivers and tools.
CVE-2026-35355 Disrupts PC Optimization Workflows
uutils' install.rs relies on create_new for atomic file creation. Existing files return EEXIST errors. Fallback logic applies drwx------ permissions.
Attackers insert symlinks during races. Victims receive 000 permissions on files. GPU driver installs fail on Ubuntu-based rigs with NVIDIA RTX 5090 or AMD RX 8000 series. Rust docs warn of create_new limitations.
Build tools like make and cmake invoke coreutils heavily. Errors propagate to thermal tuning scripts and overclock profiles. Enterprises must rebuild Ubuntu fleets, delaying hardware deployments.
44 uutils CVEs Highlight Rust Limitations
Canonical's external audit uncovered 44 CVEs in uutils, as detailed in Corrode.dev analysis by security researcher Alex Smith on October 10, 2025. Ubuntu 25.10 prioritizes uutils for Rust's memory safety. Yet logic bugs persist beyond compile-time guarantees.
CVE-2026-35363 disrupts rm recursion. Infinite symlink loops or skipped files result. Gamers accumulate disk bloat after benchmark runs. uutils GitHub issue tracker logs ongoing fixes.
Rust's borrow checker overlooks races and symlink tricks. Developers must layer fuzzing tests. PC optimization scripts demand coreutils verification.
uutils vs. GNU Coreutils: Key Comparison
- Feature: Memory Safety · uutils (Rust): Compile-time guarantees · GNU Coreutils (C): Prone to runtime flaws
- Feature: 2025 CVEs · uutils (Rust): 44 disclosed (Canonical audit) · GNU Coreutils (C): Legacy issues patched over decades
- Feature: Ubuntu 25.10 Default · uutils (Rust): Primary · GNU Coreutils (C): Fallback for stability
- Feature: x86_64 Performance · uutils (Rust): Competitive, <5% slower per Canonical benchmarks · GNU Coreutils (C): Highly mature optimizations
Rust excels in safety but lags in maturity. GNU coreutils benefits from 30+ years of refinement. Ubuntu 26.04's audit elevates uutils readiness.
uutils introduces <5% slowdowns in edge-case compiles, per Canonical internal tests. PC users switch to GNU coreutils during patch windows for peak build speeds.
Financial Implications for Canonical (LON: CBL)
Canonical invests in audits to safeguard Ubuntu's 40% share among developers, per Stack Overflow's 2024 Developer Survey. These CVEs threaten Ubuntu Pro subscription revenue, projected at $150M USD annually by FY2026. PC OEMs like Dell and Lenovo require fixes for preinstalled Ubuntu images. Strong security bolsters enterprise adoption and Canonical's 25% YoY revenue growth.
Essential Fixes for Ubuntu PC Users
1. Execute `sudo apt upgrade` to apply all 44 patches on Ubuntu 25.10 systems. 2. Audit install and rm scripts; adopt mktemp for safe temporaries. 3. Enable AppArmor profiles to confine coreutils operations. 4. Containerize builds with Docker for isolation.
System admins deploy via Ansible playbooks. End-users schedule weekly updates.
Rust Tools Demand Fuzzing for PC Reliability
uutils CVEs prove type systems miss races—bugs Rust won't catch require runtime scrutiny. Integrate cargo-fuzz for coverage. Static analyzers validate permissions logic.
Ubuntu 26.04 enforces Rust tooling standards. Post-patch benchmarks confirm uutils trails GNU by under 5% in compile times.
Canonical pushes Rust for servers and desktops. Rigorous testing secures PC hardware optimization workflows.
Corrode.dev lists all 44 CVEs with exploit details.
Frequently Asked Questions
What bugs Rust won't catch in uutils?
Logic flaws like CVE-2026-35355 permission races. create_new skips symlinks. chmod -R 000 sets 000 modes.
How do uutils CVEs hit Ubuntu PC users?
Ubuntu 25.10 uses uutils default. install/rm bugs break builds. Optimization scripts fail on desktops.
What fixes address bugs Rust won't catch?
`sudo apt upgrade` patches 44 CVEs. AppArmor confines coreutils. Docker isolates ops.
Why audit uutils for Ubuntu 26.04?
External audit post-44 CVEs. Rust skips logic bugs. Secures PC and server use.