In April 2026, Canonical revealed 44 CVEs in uutils, the Rust reimplementation of GNU coreutils. What's striking is that all these vulnerabilities landed in production code written by experienced Rust developers, yet escaped detection by Rust's safety features. The audit commissioned ahead of Ubuntu 26.04 LTS provides developers with an unprecedented look at where Rust's guarantees end.

The largest vulnerability cluster involves TOCTOU (Time Of Check To Time Of Use) bugs across filesystem operations. Rust's standard library APIs like fs::metadata and File::create re-resolve paths on each call, creating security windows where attackers can swap targets between syscalls. The fix involves anchoring operations on file descriptors rather than paths.

Other critical lessons include setting permissions at creation time rather than after, resolving paths before comparing them, and staying in bytes at Unix boundaries rather than forcing UTF-8. For systems programming in Rust, these patterns represent the difference between secure and vulnerable code when working with filesystem operations.