Ghostboard pixel

Rust Could Eliminate 80% of Linux Kernel CVEs!

Linux's stable maintainer is betting on a new Rust type to address a class of bugs C has never been able to fully prevent.
Sourav Rudra
2 min read
Warp Terminal

Greg Kroah-Hartman was at RustWeek 2026 in Utrecht this week, and he talked about a Rust-based proposal still in development that could wipe out around 80% of the CVEs the Linux kernel generates.

That is not a small claim. This is coming from someone who has personally reviewed every kernel security bug since the Linux kernel security team was formed in 2005.

C's blind spot

Greg's presentation starts at 14:27.

The core problem, as Greg sees it, is untrusted data. Every time data arrives from user space or from hardware, the kernel should treat it with suspicion. C has never had a reliable way to enforce that.

Once data gets copied from user space into the kernel, it becomes a regular pointer and loses all context about where it came from. It gets passed around freely, and the external checkers that should catch issues do not always get run.

Hardware adds another layer of the same problem. The kernel was designed assuming hardware is trustworthy, and that assumption is getting harder to hold as malicious hardware becomes a real and growing threat.

What Rust already fixes

Before the new proposal even ships, Rust is already making a difference. Failing to check error return values and forgetting to release locks are two notable contributors to kernel CVEs, and Rust handles both at compile time.

Greg estimates those two fixes alone cover around 60% of kernel bugs.

And it doesn't stop there. Writing Rust bindings for existing C code has quietly pushed kernel maintainers to actually document and think through their APIs, working out ownership semantics, lock rules, and const-correctness.

Enter, the "untrusted" type

Greg's proposed solution is a Rust type called Untrusted<T>, developed with kernel contributor Benno Lossin. It attaches to data coming in from user space or hardware as a compile-time marker, with no runtime cost.

And you cannot access the underlying data without going through a validation step that explicitly converts it to trusted. That pushes all validation code into one visible, reviewable spot.

What this means for you as a Linux user? A significant number of the CVEs that currently trickle down to your distro as security updates simply would not exist in the first place.

But, it is not merged yet. Changes are still needed in the Rust compiler, and related work on field projections is running alongside it. Greg concluded his presentation by asking for more Rust kernel developers, and pointed towards the Rust for Linux mailing list as the starting point.

Suggested Read 📖: Fedora Pulls the Plug on Deepin

Fedora Pulls the Plug on Deepin Over Security and Maintenance Failures
After months of no responses and packages being left in disrepair, the FESCo has drawn a hard line.
It's FOSSSourav Rudra
News
About the author
Sourav Rudra

Sourav Rudra

A nerd with a passion for open source software, custom PC builds, motorsports, and exploring the endless possibilities of this world.

Read next

Fedora Pulls the Plug on Deepin Over Security and Maintenance Failures

Open Source ONLYOFFICE Docs 9.4 Brings Dark Spreadsheets, Smarter Forms, and a Licensing Cleanup

Things Are Quietly Changing at Bitwarden, and People Are Worried

Wow! Microsoft Now Has a Fedora-based Linux Distro

The Famous Linux System Cleaner BleachBit Now Has a TUI (And I Tried It Out)

Become a Better Linux User

With the FOSS Weekly Newsletter, you learn useful Linux tips, discover applications, explore new distros and stay updated with the latest from Linux world

itsfoss happy penguin

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to It's FOSS.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.