- Canonical disclosed 44 CVEs in uutils on April 9, 2026.
- Ubuntu 25.10 ships uutils by default for 3 core utilities: cp, mv, rm.
- CVE-2026-35355 mishandles Permissions::from_mode(0o700) for privilege escalation.
Canonical disclosed 44 bugs Rust won't catch in uutils coreutils on April 9, 2026. This Rust-based GNU coreutils reimplementation ships by default in Ubuntu 25.10 for cp, mv, and rm. An external audit ahead of Ubuntu 26.04 LTS revealed logic flaws like permission mishandling and race conditions. Jon Seager, Canonical's VP of Engineering for Ubuntu, confirmed the CVEs in the official Ubuntu security notices.
GNU coreutils remain available as alternatives in Ubuntu 26.04 LTS.
Permissions Bug in install.rs Enables Escalation
CVE-2026-35355 affects src/uu/install/src/install.rs. The Permissions::from_mode(0o700) function sets incorrect file permissions, allowing attackers to chain it with symlinks for privilege escalation. This evades Rust's borrow checker, which blocks memory errors but not logic flaws, as detailed in Corrode's analysis.
Rust's std::fs::OpenOptions::create_new fails on existing symlinks, per Rust documentation. Developers often overlook this edge case, leading to production vulnerabilities.
The bug occurs when install derives permissions from mode bits without validating symlink targets. Attackers create symlinks to sensitive files like /etc/shadow, gaining root access during package installs.
rm Race Condition Risks Data Loss
CVE-2026-35363 targets the rm utility. Faulty logic deletes incorrect files under race conditions between directory scans and unlink calls. This risks unauthorized data access or denial-of-service in multi-threaded environments.
uutils GitHub issues document similar races. Attackers exploit timing gaps in CI/CD pipelines, wiping backups mid-build on AWS Lambda or Google Cloud Run.
CVSS v3.1 scores CVE-2026-35355 at 8.2 (high severity) for its exploitability.
Startup Deployments Amplify uutils Risks
Startups favor Rust microservices on Ubuntu for performance and safety. uutils handles file operations in Docker containers and CI/CD workflows.
A flawed install command exposes servers to symlink attacks. Companies like Discord and Dropbox use Rust crates; Ubuntu 25.10 images propagate these bugs.
IBM's 2023 Cost of a Data Breach Report names average breach costs at $4.45 million USD. Logic flaws persist despite Rust's protections, as scanners like Trivy ignore them.
Cloud providers execute Rust code at scale. rm bugs disrupt builds, costing hours in downtime.
Rust Catches 70% Memory Bugs, Misses Logic Flaws
Rust eliminates 70% of memory bugs at compile time, per University of Cambridge researchers David Chisnall and Brooks Davis. Logic errors require runtime fuzzing with AFL++ or honggfuzz.
uutils aims for GNU compatibility. Rust idioms inherit C assumptions, like improper permission inheritance from parent directories.
Ubuntu lists all 44 CVEs with patches. rm issues enable DoS via recursive deletes on crafted directories.
Stack Overflow's 2023 Developer Survey shows 40% Rust adoption in cloud apps.
Breaches Cost Startups $4.45M on Average
Investors mandate Rust for secure stacks. Skipped audits inflate risks by 40%, per Ponemon Institute data.
Gartner estimates a uutils exploit costs $2.5 million USD in downtime for mid-sized firms. Cloud bills surge during breach response.
Canonical's disclosure prompts ecosystem audits. Startups face $500K USD in verification spends.
Mitigations Against Bugs Rust Won't Catch
Run cargo-audit for dependencies. Fuzz install.rs and rm with cargo-fuzz or honggfuzz.
Canonical patched Ubuntu 26.04 LTS. Pin uutils to v0.0.28; audit pre-launch.
Deploy seccomp to block symlinks in containers. Enforce SELinux for file modes.
Track uutils releases on GitHub. Use BusyBox or GNU coreutils as alternatives.
Hybrid Go-Rust stacks limit exposure. Custom fuzzing suites ensure full Rust sysutils safety.
Investors Weigh Canonical's 44 CVEs
VC firms back Rust for 2x scaling speed. Logic bugs erode trust, driving audit benchmarks.
Developers now dissect Permissions::from_mode and rm logic. OWASP reviews loom for future sysutils.
Mitigate to cut breach costs. Canonical's action strengthens Ubuntu enterprise appeal. Bugs Rust won't catch demand layered defenses.
Frequently Asked Questions
What bugs Rust won't catch in uutils coreutils?
Logic flaws like permission errors and symlink handling. Canonical found 44 CVEs in install.rs and rm.
How many CVEs did Canonical disclose in uutils?
44 CVEs on April 9, 2026, ahead of Ubuntu 26.04 LTS audit.
What is CVE-2026-35355?
Permissions::from_mode(0o700) bug in src/uu/install/src/install.rs enables privilege escalation.
Why do these impact startup cybersecurity?
uutils runs in Rust microservices and CI/CD. Logic bugs expose servers despite memory safety.
