- 44 CVEs reveal Rust limitations in uutils coreutils logic handling.
- Ubuntu 25.10 ships vulnerable uutils by default for key tools.
- Ubuntu 26.04 LTS defaults cp, mv, rm to secure GNU versions.
Canonical disclosed 44 Common Vulnerabilities and Exposures (CVEs) in uutils on April 15, 2026. This Rust reimplementation of GNU coreutils ships by default in Ubuntu 25.10. The flaws reveal Rust limitations in catching logic errors despite strong memory safety (Canonical security notice).
An audit before Ubuntu 26.04 LTS release prompted Canonical to revert core utilities like cp, mv, and rm to GNU versions.
Rust Limitations Hit 44 uutils CVEs in Key PC Utilities
uutils targets performance in Ubuntu 25.10. Yet 44 CVEs affect critical tools including install and rm.
Take CVE-2026-35355 in install.rs. It mishandles Permissions::from_mode(0o700), enabling privilege escalation (corrode.dev analysis). Attackers exploit invalid mode parsing during file installs on PC filesystems.
CVE-2026-35363 in rm creates symlink race conditions. uutils ignores fs::OpenOptions::create_new guarantees, per Rust standard library docs (Rust std docs).
File I/O dominates these CVEs. GNU coreutils faced similar issues but matured through years of fixes.
PC builders use these tools in Linux gaming setups and NVMe SSD management. A single race condition risks data loss on high-speed drives.
Why Rust Excels at Memory Safety Yet Misses Logic Errors
Rust's borrow checker blocks buffer overflows plaguing C code. PC developers integrate Rust into drivers and even Linux kernel modules.
Logic bugs evade compile-time checks. Race conditions and invalid permissions require runtime validation Rust does not enforce.
Canonical VP Engineering Jon Seager noted these gaps in an Ubuntu discourse post (Ubuntu discourse). uutils skips atomic file creation with create_new.
Permissions::from_mode accepts invalid inputs without GNU-style checks. Ubuntu 26.04 LTS defaults to GNU for cp, mv, and rm post-audit.
- Utility: cp · Implementation: GNU · CVE Count: N/A · Ubuntu 26.04 LTS: Default
- Utility: mv · Implementation: GNU · CVE Count: N/A · Ubuntu 26.04 LTS: Default
- Utility: rm · Implementation: GNU · CVE Count: N/A · Ubuntu 26.04 LTS: Default
- Utility: install · Implementation: uutils (Rust) · CVE Count: Multiple · Ubuntu 26.04 LTS: Default
PC workflows depend on reliable coreutils for scripting and automation.
uutils CVEs Threaten PC Security on Ubuntu Systems
Coreutils manage Linux filesystems essential to PC operation. These bugs enable privilege escalation and data corruption.
Ubuntu 25.10 adopted uutils for speed gains on modern hardware. Canonical's notice urges immediate updates for the 44 CVEs.
Corrode.dev explains Rust misses runtime races absent synchronization (corrode.dev).
Enterprises run Ubuntu on PC fleets for development and servers. Air-gapped systems face delayed patches, amplifying risks.
Independent tests show uutils rm deletes files 10% faster on NVMe SSDs than GNU, per corrode.dev benchmarks (corrode.dev benchmarks). This speed lured adoption but exposed flaws.
Gamers invoke coreutils in Steam Proton scripts for Linux titles on Windows hardware. IT pros script cp and mv for daily backups.
Ubuntu PC Users Weigh Coreutils Performance vs. Safety
Ubuntu 25.10 users should patch uutils for CVE-2026-35355 and CVE-2026-35363 immediately. Verify updates via apt.
Rust shines in user-space apps but struggles near kernels. PC hardware like AMD Ryzen and Intel Core i9 benefits from Rust drivers, yet coreutils demand battle-tested code.
Future Linux kernels expand Rust modules. Canonical's hybrid approach tests cautious integration.
Phoronix benchmarks confirm uutils edges GNU in I/O throughput by 5-15% on PCIe 5.0 NVMe drives, but security trumps marginal gains (Phoronix). GNU's stability suits production PC builds.
Rust vs. GNU Coreutils: PC Benchmarks and Trade-offs
uutils binaries run 20% smaller than GNU, saving space on PC SSDs, per corrode.dev developer reports.
Safety trails with 44 CVEs. GNU coreutils benefit from decades of fuzzing and real-world hardening.
Rust's cargo-fuzz tools advance quickly. PC enthusiasts demand secure defaults for custom builds.
Canonical prioritizes Rust patches now. Hybrid GNU-Rust setups deliver speed and security for gaming rigs and workstations.
Ongoing audits shrink Rust limitations. PC users gain from faster, safer tools as Ubuntu evolves.
Supply chain scrutiny rises for Linux distros. Canonical's decisions impact AMD and Intel hardware adoption in enterprise PCs.
Frequently Asked Questions
What Rust limitations caused the 44 uutils CVEs?
Rust prevents memory errors but misses logic flaws like races and permissions. uutils CVEs include install.rs mode handling and rm symlinks. Add runtime checks.
How do uutils CVEs impact Ubuntu PC users?
Risks include privilege escalation in file operations. Ubuntu 25.10 uses uutils; 26.04 LTS prefers GNU for critical tools. Update patches immediately.
Why does Ubuntu 26.04 LTS use GNU coreutils?
Post-audit, Canonical retained GNU for cp, mv, rm due to issues. Hybrid approach prioritizes PC safety over full Rust adoption.
Are Rust bugs common in PC software?
Logic errors like CVE-2026-35363 evade the borrow checker. Combine Rust with fuzzing and audits for robust PC security.