CVE databases track security vulnerabilities, but memory safety bugs reveal a fundamental split between Rust and C/C++. The core distinction lies in how each language handles undefined behavior and library responsibility. When unsafe code in Rust causes memory issues, the library bears the blame—even without active exploitation in the wild.

C libraries like curl operate under different assumptions. Passing NULL to curl_getenv triggers a segfault, but this represents 'wrong usage' rather than a library flaw. C's limited type system makes precise API contracts impractical, so documentation rarely enumerates every misuse scenario. Reporting such cases would flood CVE systems with millions of trivial entries.

In contrast, Rust's safe/unsafe boundary creates stricter standards. If hyper::foo(None) crashes without unsafe blocks in user code, it's a soundness bug requiring immediate attention. The language's design prevents many memory errors by construction, shifting responsibility to library maintainers.

This difference explains why Rust CVEs often appear stricter than C/C++ equivalents. Developers transitioning between languages must understand that Rust's memory safety isn't just theoretical—it fundamentally changes how vulnerabilities are classified and addressed in practice.