Ubuntu Rust Coreutils Audit Revealed 113 Issues, Ubuntu 26.10 Aims For "100% Rust Coreutils"

The recent Zellic audit of Ubuntu's Rust Coreutils underscores the growing scrutiny on open‑source security. By identifying 70 CVEs and 73 other defects, the review forced Canonical to prioritize rapid patches, demonstrating how external audits can accelerate hardening of critical system components. This proactive stance not only protects end‑users but also reinforces Ubuntu’s reputation as a security‑focused distribution.

Ubuntu 26.04 LTS marks a transitional milestone, shipping Rust Coreutils 0.8 with the majority of identified flaws already resolved. Yet, the decision to retain GNU implementations for cp, mv and rm reflects a pragmatic approach: the remaining TOCTOU (time‑of‑check‑to‑time‑of‑use) vulnerabilities are non‑trivial to eliminate without compromising stability. By isolating these commands, Canonical ensures a reliable user experience while the Rust rewrite matures, illustrating a balanced path between innovation and operational continuity.

Looking ahead to Ubuntu 26.10, Canonical’s ambition for 100% Rust‑based Coreutils signals a broader industry trend toward memory‑safe languages for system software. If successful, this could lower the attack surface across millions of Linux installations and inspire other distributions to adopt similar strategies. The move also aligns with enterprise demands for robust, auditable codebases, potentially reshaping expectations for default tooling in the Linux ecosystem.