- Canonical disclosed 44 CVEs in uutils via Trail of Bits audit.
- Ubuntu 26.04 LTS uses uutils 25.10 with GNU cp, mv, rm fallbacks.
- uutils ls lags GNU by 12% on Ryzen 9 9950X, per Phoronix.
Canonical disclosed 44 CVEs in uutils coreutils for Ubuntu 26.04 LTS. Bugs Rust won't catch exposed logic flaws like symlink races. Trail of Bits audit uncovered them before the April 15, 2026 release.
Ubuntu 26.04 ships uutils 25.10 for ls, cat, and install. Canonical kept GNU versions for cp, mv, and rm due to unresolved issues.
uutils CVEs Expose Rust Safety Model Gaps
Rust's borrow checker blocks memory bugs like overflows. The 44 CVEs target logic errors, including permission mishandling and time-of-check-to-use races.
CVE-2026-35355 in install.rs mishandles Permissions::from_mode(0o700). Attackers gain privilege escalation during installs on Ubuntu PCs, per Canonical's USN-2026-001.
CVE-2026-35363 flaws rm commands like "rm ..". It ignores OpenOptions::create_new rules, as Rust docs detail.
Jon Seager, Canonical VP of Engineering, said in the notice: "Audit ensures uutils maturity."
PC gamers risk Steam library deletions. Blender workstations face data loss from faulty rm.
Ubuntu 26.04 Defaults Challenge PC Reliability
uutils reimplements GNU coreutils in Rust for memory safety. Ubuntu 26.04 uses version 25.10 for most tools.
Trail of Bits report, cited in USN-2026-001 dated April 15, 2026, lists all 44 CVEs. Patches appear on uutils GitHub.
Phoronix tests by Michael Larabel on Ryzen 9 9950X show uutils ls 12% slower than GNU. cp lags 10-15%, delaying game asset copies.
Logic bugs evade Rust. PC admins doubt Ubuntu for NVMe RAID in workstations.
Rust Prioritizes Memory Over Logic Security
Rust prevents data races and use-after-free errors. uutils CVEs slip through, per Corrode.dev analysis.
CVE-2026-35355 enables escalation on desktops. RTX 5090 gamers and Threadripper pros need stable tools.
AI servers with NVIDIA GPUs depend on reliable coreutils. Bugs halt NVMe writes.
GNU C coreutils add ASLR hardening. Canonical weighs Rust gains against risks.
Performance Tradeoffs in uutils for PCs
- Tool: ls, cat · Language: Rust · Ubuntu 26.04 Default: Yes (25.10) · CVEs: 44
- Tool: cp, mv, rm · Language: C (GNU) · Ubuntu 26.04 Default: Yes · CVEs: Hardened
Phoronix confirms Rust overhead on Ryzen. uutils fits servers but slows PC tasks.
Rust drives Linux kernel and Firefox. uutils matches early GNU CVE rates.
PC Builders Face Canonical Strategy Shifts
Layered audits address bugs Rust won't catch. Enthusiasts test uutils on custom rigs.
Ubuntu powers Steam Proton gaming and VS Code dev. Disclosure hits Ubuntu Pro subs at $25/machine yearly, Canonical's revenue driver.
Hybrid Rust-C setup stabilizes high-end PCs. Future audits fix logic gaps.
Track updates at Canonical security notices. PC hardware demands reliable software. Ubuntu 26.04 users patch the 44 CVEs now. Rust advances, but audits build trust.
Frequently Asked Questions
What bugs Rust won't catch in uutils?
Logic errors like symlink races and permissions evade memory safety. Canonical fixed 44 CVEs in uutils 25.10.
How do uutils CVEs impact Ubuntu PCs?
Ubuntu 26.04 defaults to uutils for coreutils. Risks data loss in gaming and workstations; GNU tools retained for some.
Why audit uutils for Ubuntu 26.04?
Trail of Bits audit pre-release found 44 CVEs. Ensures maturity before default in LTS.
Details on CVE-2026-35355?
install.rs bug mishandles mode 0o700, allows escalation. Rust misses this logic issue.