Canonical’s April 2026 audit of uutils found 44 CVEs in production Rust code, none caught by the borrow checker, clippy, or cargo audit.
Key Takeaways
TOCTOU bugs dominate: Rust’s ergonomic path APIs (fs::metadata, File::create) re-resolve paths on every syscall, enabling symlink swap attacks between steps.
OpenOptions::create_new(true) prevents symlink planting between remove and create; for existing files, anchor operations on a file descriptor, not a path.
String comparison on paths is not filesystem identity – use canonicalize() or compare (dev, inode) pairs the way GNU coreutils does.
from_utf8_lossy silently corrupts binary data; Unix stream tools (comm, cut, tr) must stay in bytes (OsStr, &[u8]) at system boundaries.
Every unwrap/expect in input-handling code is a potential DoS; clip it with unwrap_used, expect_used, panic lints scoped to non-test code.