Linux Kernel Rust Code Sees Its First CVE Vulnerability

Longtime Linux developer Greg Kroah-Hartman announced that the Linux kernel has received its first CVE tied to Rust code. Phoronix reports: This first CVE (CVE-2025-68260) for Rust code in the Linux kernel pertains to the Android Binder rewrite in Rust. There is a race condition that can occur due to some noted unsafe Rust code. That code can lead to memory corruption of the previous/next pointers and in turn cause a crash. This CVE for the possible system crash is for Linux 6.18 and newer since the introduction of the Rust Binder driver. At least though it's just a possible system crash and not any more serious system compromise with remote code execution or other more severe issues.

Nope

[SlashbotAgent]

I don't believe it. I've been repeatedly told that Rust code is memory safe and this sort of stupid programming error can't happen in Rust, only other languages.

Re:Nope

[DarkOx]

it was in an 'unsafe' section for what it is worth.

But then systems programing means you're going to have a lot of that. So maybe rust really isn't such a good systems language... as it does not really get you much when you can't use its safety features.

Re:

[sinij]

I never tried or looked into Rust. Can you explain to me what is 'unsafe' section is and how necessary is it? Is the issue that Rust checks were intentionally subverted by some idiot or is that Rust is not usable/cannot accomplish what you need to do in most cases and you have to use 'unsafe' section?

Re: Nope

[reanjr]

Unsafe is very hard to avoid in Rust. It's pretty much impossible for something low level like kernel development. 20% of Rust packages use unsafe. And most Rust apps depend on multiple packages.

Re: Nope

[MightyMartian]

So, in other words, it really isn't any better at bare metal development than C/C++. If you have to direct memory and hardware manipulation in unsafe blocks, then really, it's just the same thing as doing it in C.

Re:

[dfghjk]

"...then really, it's just the same thing as doing it in C."

Only worse, because it's not C. Gratuitous change.

Re: Nope

[MightyMartian]

Indeed. Replacing half a century of collective experience with a new language in an entirely different and far less tested environment to write low level code, where all the memory safety features have to be disabled at all the same failure points where C and assembly have been used... for reasons.

Re:

[HiThere]

More specifically it's worse because you can't have multiple references to the same memory location even within a single threaded piece of code. It's like uselessly having one hand tied behind your back.

Re:

[SirSlud]

Not by a long shot. Unsafe is scoped. 20% of Rust packages may use unsafe, but the amount of code in unsafe sections is far far far lower. Unsafe means "I accept the risk of doing unsafe things" but because it's scoped, just because a package uses Unsafe, it's still benefiting from the memory safety of bounds checking and borrow checking 99% of the time.

That's a far far cry from "it's just the same thing as doing it in C"

Re:

[ThePyro]

The applicable bit here is that the rust compiler enforces memory ownership rules that ought to prevent multiple threads from modifying the same memory address. By using an "unsafe" block of code, you've told the compiler to turn those rules off.

I can't comment on how necessary an "unsafe" block would be in this instance, but I would guess that systems programming definitely requires unsafe blocks at times.

Re:

[fahrbot-bot]

The applicable bit here is that the rust compiler enforces memory ownership rules that ought to prevent multiple threads from modifying the same memory address. By using an "unsafe" block of code, you've told the compiler to turn those rules off.

At which point, you're (basically) using C - again. Not saying that there's no benefit to Rust and its safe(er) sections, but being a good Rust programmer doesn't make you a good C programmer, which (I'm guessing) is what you need more of for the unsafe sections. Rewriting things in Rust for the sake of it probably hinges on the ratio or safe to unsafe code, where those are and how they're maintained.

Re: Nope

[ArmoredDragon]

The applicable bit here is that the rust compiler enforces memory ownership rules that ought to prevent multiple threads from modifying the same memory address. By using an "unsafe" block of code, you've told the compiler to turn those rules off.

This is incorrect, unsafe rust doesn't allow you to simply ignore the borrow checker. This is a very common myth, usually stated by C++ developers who already love footguns and poo-poo the language despite never having used it. In rust, ownership rules are ALWAYS enforced no matter what you do. In fact, there are exactly 5 things that unsafe allows:

https://doc.rust-lang.org/book... [rust-lang.org]

You can, in principle, circumvent the borrow checker by converting a normal pointer into a raw pointer and later dereferencing it, which is just adding indirection. But in practice, there's no good reason to do this, and there's likely already an easier way to do what you might be wanting to do with it that doesn't require unsafe. Raw pointers are generally only really useful for FFI, which is already inherently unsafe in any language.

Re:

[dremon]

Portions of the Rust code can be marked as "unsafe". Within an unsafe block you can dereference a raw pointer and call an unsafe function (e.g. an external C function). Outside of the unsafe, the compiler guarantees memory safety and absence of data races, during compilation. Unsafe blocks are necessary to interact with the hardware, call external libraries written in other languages or write a highly optimized or specialized code.

While the entire application written in C (and C++) is inherently unsafe by

Re:

[sinij]

Thank you for clear explanation.

Re:

[thegarbz]

C code is also quite safe and easy to write in a memory safe way if you don't use pointers. Every language has the ability to shoot yourself in the foot with its more complex functionality. For rust, you need to specifically declare functions or types "unsafe" in order to do so. It opens the possibility to do things that the compiler can't verify to be memory safe. But you need to do it explicitly.

Re:

[HiThere]

To be fair, C practically insists that you use raw pointers. I think the C standard should allow references. Also some way to handle unique_pointer and shared_pointer. (I mean a way that's standard for the language.) But this would require that the pointer know how large a chunk of memory it was pointing at.

Re: Nope

[ArmoredDragon]

That kind of defeats the point of what C is intended to do. C is intended as a more of portable assembly. Abstract concepts like references are too much of an abstraction for that. Though C does carry with it some unnecessary and sometimes nasty footguns, like a = b returning the value of b, which some developers do some nutty things with, like the infamous 'if (a = b) {..}' being an intended feature of C. And some developers insist that such footguns are useful and shouldn't ever be removed.

I've heard zig

Re:

[HiThere]

And in a single threaded loop it feels like unnecessarily having one hand tied behind your back.

Re:

[klui]

This CVE is discussed in detail by this YTer. He's a Rust proponent but very open about its limitations.

https://www.youtube.com/watch?... [youtube.com]

Re:

[phantomfive]

What does he say? Anything interesting?

Re:

[znrt]

that a programmer needed to remove a node from a list, realized that it was an inherently unsafe operation, concluded that in that situation it was safe to use unsafe, wrote a "safety" comment explaining why it was the case, proceeded to use unsafe and then inadvertently did this:

- get a lock on some list of pointers
- copy the list
- release the lock
- alter the list

which basically means that no amount of safety guards can really protect us from ourselves. it might also mean that sometimes having those guards

Re:

[znrt]

s/really/fully/

Re:

[gillbates]

I don't get the Rust hatred. C has implicitly had an "unsafe" mode for much longer than Rust.

If you're a C kernel developer, you can jump on the Rust bandwagon very easily: just put the keyword unsafe in your comments and you can write code just like Rust developers.

Maybe, just maybe, this mistake was caused by the fact that the same sort of people who are likely to write bugs into their code are the same types of people who prefer "safe" languages because understanding the subtle nuances of how comput

Re:

[thegarbz]

I don't believe it. I've been repeatedly told that Rust code is memory safe and this sort of stupid programming error can't happen in Rust, only other languages.

That's your own ignorance at work. Rust is memory safe, if you use it that way. TFS specifically not it was in an explicitly *unsafe* code. I.e. the programmer literally has to type the word "unsafe" into the code.

Even people who we put into rooms with walls made of fluffy pillows for their own protection, could none the less if they tried, suffocate themselves.

Re:

[backslashdot]

So you're retarded?

Re:

[LoneBoco]

It's pretty amateurish to introduce memory vulnerabilities with the "unsafe" keyword when there are perfectly memory safe ways to add memory vulnerabilities to your code (https://github.com/Speykious/cve-rs)

Rust is NOT memory safe

[Murdoch5]

It's over, Rust can never claim to be memory safe, it's not a discussion point anymore. The fact you can use a keyword called “unsafe”, makes all the claims, and the religious like devotion, nothing more than a joke. For everyone who was ready to die on the hill of Rust safety, it's over, Rust is another language that has failed the memory safe experiment.

Re: Rust is NOT memory safe

[mwa]

And this is tagged "troll."

The truth is that Rust's cheerleaders have been trolling since the beginning about memory safety.

Re:

[Murdoch5]

I don't understand the Rust culture, I really don't. You never see this kind of hardline, ultra-orthodox alignment with other languages, at this scale. I remember Lunduke said something like “GW Basic in certain circumstances could compile faster than Rust.”, then showed it, and got death threats. Here, we have literal memory corruption, and Rust fans are upset, or taking up arms that anyone dare even suggest that Rust might have memory issues? Rust is the language equivalent of far-left fe

Re:

[fahrbot-bot]

You never see this kind of hardline, ultra-orthodox alignment with other languages, at this scale.

Tell Python programmers that white-space block delineation is dumb and braces are better. :-)

Re:

[Murdoch5]

You'll have some people get annoyed, or possibly mad, but you will not have groups of people calling for death and extreme violence. I know “harder aligned” C programmers, or, Perl (dear lord), but nothing like Rust. People suggest that Rust might not be the best fit for a project, and look what happens publicly. I've had a tiff with a developer about Perl, but it was civil, Rust devotion isn't civil.

Re:

[sg_oneill]

Tell Python programmers that white-space block delineation is dumb and braces are better. :-)

The reason people will roll their eyes at you over that is that its an incredibly boring debate that ended 30 years ago. Its pure surface level semantics and it just isn't interesting and tends to suggest people haven't actually spent much time understanding what they are complaining about.

Python has plenty of serious problems. But if what you get hung up on is whitespace, it means you dont know what the serious pro

Re:

[phantomfive]

The reason people will roll their eyes at you over that is that its an incredibly boring debate that ended 30 years ago.

And yet, you jumped into the argument as if it were fresh dung and you were a dung beetle.

Python has plenty of serious problems. But if what you get hung up on is whitespace,

And there it is, you're a dung beetle white space Python fan who can't resist defending your bad decisions.

Re:

[phantomfive]

I don't understand the Rust culture, I really don't. You never see this kind of hardline, ultra-orthodox alignment with other languages, at this scale

Swift programmers were worse. It's a crappy language (has all the warts of Objective-C and adds some of its own), but as soon as you say "the enum system makes it easy to write confusing code" you will have all kinds of Swift programmers coming out to insult you and your dog.

Re:

[Narcocide]

Follow the money.

Rust's claims of memory safety

[davidwr]

First, I'm not a Rust programmer, but I am a programmer.

Rust's claims about memory safety read to me like "we promise we are memory-safe except where you tell me they aren't. If you use a library that is marked as unsafe, you are responsible for knowing what you are doing and what the library is doing. But in all other cases, we guarantee memory safety."

If I wanted 100% memory safety, there would be a lot of things that I either couldn't do or couldn't do efficiently enough to be worth doing. A large part

Re:

[Murdoch5]

You could make the same claim about C, it's memory safe, except when it's not. The narrative of Rust was that it's memory safe to a level that the concept of memory based corrupt or memory nonsense is no longer possible. Obviously, that's a ridiculous claim to make, but so many people believed it, to the point they were willing to commit violence against anyone who dared question the divine nature of Rust memory safety. Lunduke has proven that, he gets death threats when he makes objectively true, and har

Re:

[phantomfive]

There are a lot of people who believe Rust will get rid of ALL their security errors, not just memory errors. That's why it's a dangerous language.

Re:Rust is NOT memory safe

[thegarbz]

We need to remove seatbelts from cars, they are useless because people can drive without wearing them. Why did we even have seatbelts. All those people claiming seatbelts are of any benefit are just religious and nothing more than a joke.

Yes this is how stupid your post sounds.

Re:

[Murdoch5]

Except that no one claims seat belts prevents accidents, and with Rust people do claim Rust prevents any possibility of an error, or memory corruption. That's why this needs to be called out, the pure stupidity of the hardcore Rust or die group. The group that calls for death and extreme violence against people who simply suggest that Rust might not be the greatest created language of all time, and who doubt the stated claims of pure and absolute safety. You can prove this, just watch video from Lunduke,

No Joy in Mudville-err Rust Language Army

[BrendaEM]

Well, the the Rust Army has, who has had their eyes set on the Linux use-case prize, has suffered a setback.

experniment

[laktech]

_NOW_ the experiment is over.

re-write

[fahrbot-bot]

CVE ... pertains to the Android Binder rewrite in Rust.

Rewrites always carry the risk of new problems as well as old problems in new ways.

Just curious; was there a reason this coded needed to be rewritten or was it a failure to apply "if it's not broke, don't fix it?"

Big Yawn Here

[EndlessNameless]

A vulnerability in an unsafe section of Rust is not surprising, and it was essentially inevitable that it would happen. That's the whole point of having safe vs unsafe modes.

There are still two really good reasons to use Rust widely:

1. Safe sections are typically the majority of the code, and they avoid problems without requiring and agonizing level of developer scrutiny and testing.
2. The requirement to mark unsafe sections makes it easier to identify problems and fix them. The maintainer probably knows exactly

Re: Big Yawn Here

[fluffernutter]

The same can be said for a C program. A majority of it is safe until you overflow that buffer.

If ain't broken...

[devslash0]

Once again we get the proof that rewriting old, working software is a very bad idea.

Key word highlighted for your convenience

[RightwingNutjob]

This first CVE (CVE-2025-68260) for Rust code in the Linux kernel pertains to the Android Binder rewrite in Rust. There is a race condition that can occur due to some noted unsafe Rust code. That code can lead to memory corruption of the previous/next pointers and in turn cause a crash.

what is this rust thing all about, then?

[zeiche]

i thought the whole point of integrating rust into linux was precisely for its memory safe features. AND THEN THEY JUST WRITE MEMORY UNSAFE CODE? WHAT THE F*CK!

Re:

[thesjaakspoiler]

You were not told the whole truth and the benevolent dictator Linus also didn't see this coming.
*Grabbing popcorn, waiting for the next Linus rant.

Linux kernel python code

[thesjaakspoiler]

Python would have been a far better choice to be supported in the kernel because it has no pointers.
Those Rust dummies messing it up would be a matter of time.