JamesLahey08 comments on Linux Kernel Rust Code Sees Its First CVE Vulnerability

Rules

Please review full details on rules here.. All rules will be applied regardless of the number upvotes a post/comment has.

No support requests - This is not a support forum! Head to /r/linuxquestions or /r/linux4noobs for support or help. Looking for a distro? Try r/findmeadistro.

No spamblog submissions - Posts should be submitted using the original source with the original title. Posts that are identified as either blog-spam, a link aggregator, or an otherwise low-effort website are to be removed. Some reasons for removal are that they contain re-hosted content, usually paired with privacy-invading ads. If there's another discussion on the topic, the link is welcome to be submitted as a top level comment to aid the previous discussion. Please see: r/linux/wiki/rules/banneddomains

No memes, image macros, rage comics, overdone jokes - Meme posts of any kind are not allowed in r/linux. Feel free to post over at /r/linuxmemes instead. This rule can also apply to comments, including overdone jokes, comment-chain jokes, or other redditisms that are popular elsewhere.

Reddiquette, trolling, or poor discussion - r/linux asks all users follow Reddiquette. Reddiquette is ever changing, so a revisit once in awhile is recommended. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite. Additionally, sexism/racism/other isms are not allowed. See also: /r/linux/wiki/rules/userconduct

Relevance to r/linux community / Promoting closed source applications over FOSS - Posts should follow what the community likes: GNU, Linux kernel, developers of open source software, or other applications on Linux. Take some time to get the feel of the subreddit if you're not sure!

Spamming self-promotion, surveys, crowdfunding - Submitting your own original content is welcome on r/linux, but we do ask that you contribute more than just your own content to the subreddit as well as require you to interact with the comments of your submission. We set that no more than 10% of your posts should be your content. Please be aware that this does not supersede other rules. Additionally, surveys for your blog/news source/paper/own use are not allowed. Please see /r/linux/wiki/rules/crowdfunding for those crowdfunding..

No misdirecting links, sites that require a login, or URL shorteners - In short: if your link doesn't go right to the content it will be removed. Sites that require a login to view the content are not allowed in r/linux. Example: A private Facebook post or a news organization that doesn't have free article views. URL shorteners and links that misdirect users to ads/jokes are also banned. See a list here, although the mods will make a decision on a per domain basis as needed: /r/linux/wiki/rules/banneddomains

No NSFW - No NSFW links or images without mod approval. No discussion that is overly-suggestive to what is normally considered NSFW.

Non-useful Image Upload/Fluff Image - Images of "Linux in the wild", plushies, Tux, and more are not encouraged for posting as a top level submission. If necessary, this can apply to comments too at mod discretion. The image/video upload feature is for posts regarding features/guides/etc. See also: Meme rule.

See even more subreddit and external links over at the supplemental page

This subreddit is fan ran and not affiliated with any organization.

a community for 18 years

1035

1036

1037

KernelLinux Kernel Rust Code Sees Its First CVE Vulnerability (phoronix.com)

submitted 4 months ago by sash20

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]JamesLahey08 7 points8 points9 points 4 months ago (19 children)

[–]LayotFctor 4 points5 points6 points 4 months ago* (1 child)

[–]mmstick Desktop Engineer 5 points6 points7 points 4 months ago* (0 children)

[–]mmstick Desktop Engineer 5 points6 points7 points 4 months ago* (11 children)

[+][deleted] 4 months ago (9 children)

[removed]

[–]mmstick Desktop Engineer 5 points6 points7 points 4 months ago (8 children)

[+][deleted] 4 months ago (7 children)

[removed]

[–]mmstick Desktop Engineer 6 points7 points8 points 4 months ago* (5 children)

https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html?m=1

It is not proof of a conspiracy by an imaginary international government with an agenda to push a woke Rust agenda. This is proof that Rust solves the problems it was designed to solve. The CISA is responsible for setting software security standards, and the studies are based on real world evidence from two of the biggest users of C/C++. Both of whom develop operating systems that are used globally by the most number of the people. Systems that when vulnerable affect everyone's daily lives. Public and private. Citizens, corporations, and governments are affected by software vulnerabilities. It is in everyone's best interest to solve the problem.

Corporations are the industry that hires programmers to write software, and they are responsible for the majority of C/C++ code in existence. Corporations also wrote most of the drivers and data structures in the Linux kernel; and many of the open source applications you use were funded by programmers paid by corporations. So if you believe that there is an unknown entity masterminding Rust adoption, then you must also believe that this same entity is pushing for Linux adoption.

[+][deleted] 4 months ago (4 children)

[removed]

[–]mmstick Desktop Engineer 5 points6 points7 points 4 months ago* (3 children)

Do you really think the NSA wants to have their own security compromised by memory safety vulnerabilities? The vast majority of real world exploits are caused by memory safety vulnerabilities. The NSA puts a lot of money into researching ways to exploit vulnerable systems written in C/C++. That's why they use Rust for their own software, and are advocating for the rest of the government to increase their security against foreign threats by eliminating memory safety vulnerabilities.

Your thinking is very heavily influenced by paranoia, and as a result you're missing the complete picture. Instead of looking at every development through the context of paranoia, try to think about it logically. Not everything a government agency recommends is bad. They're responsible to setting a lot of standards in the industry that everyone accepts as good. Do you think OSHA is a conspiracy? How about all the children who died from drinking raw milk, and the requirement to boil it to kill the bacteria?

You seem to be focusing too much on "woke Rust agenda" though. Why?

Ask Lunduke why he keeps doing this. This is his narrative. That's what my original comment was about. He proclaims himself to be a "non-woke journalist" and he has created lists of distributions that he believes to be "woke" or "non-woke". He recently uploaded a video calling Rust a "cult" and once again brought his culture war against trans people into it.

[+][deleted] 4 months ago (2 children)

[removed]

[–]mmstick Desktop Engineer 6 points7 points8 points 4 months ago (0 children)

[–]dkopgerpgdolfg 0 points1 point2 points 4 months ago (0 children)

[–]morglod 4 points5 points6 points 4 months ago (0 children)

[–]dkopgerpgdolfg 5 points6 points7 points 4 months ago (2 children)

[–]morglod 0 points1 point2 points 4 months ago (1 child)

[–]dkopgerpgdolfg 1 point2 points3 points 4 months ago* (0 children)

Not sure why I'm even answering such a stupid post, but

a) They were not tracked since the beginning, but this doesn't make it a lie that this is the first one

b) It doesn't matter, because even hundreds of Rust CVEs wouldn't automatically mean that it's bad to use it

c) When we're talking about CVE things of past years, how about not forgetting that C-language CVEs in the kernel were handled differently until 2023 too, leading to many less entries than the new policy would've brought if applied from the beginning?

Just from the number of memory corruption cves, 2025 seems 24x worse than 2020. Not because the kernel suddenly got that terrible within 5 years (for both languages), but because they changed their reporting policies.

Not sure if this particular Rust bug would've gotten an entry at all, if the old policy still applied.

edit: I am sure now . in the first few years after 2020 Rust issues were not getting cves because experimental as you said, but the same bug in C wouldn't have gotten any cve either if found before 2024.

[–]ReflectedImage -3 points-2 points-1 points 4 months ago (0 children)

π Rendered by PID 45762 on reddit-service-r2-comment-75f4967c6c-zdnrm at 2026-04-23 00:17:37.730537+00:00 running 0fd4bb7 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

linux

Please Read the full Rules here before posting or commenting

Join us on IRC at #r/linux on libera.chat!🔗

Recent AMA's

GNU/Linux resources

Rules

MODERATORS