Ubuntu has completed a two-phase independent security audit of rust-coreutils (uutils) with security firm Zellic, uncovering 113 issues across both rounds. The vast majority have been resolved. Ubuntu 25.10 already ships rust-coreutils as default, and Ubuntu 26.04 LTS includes version 0.8.0 with most fixes applied. However, cp, mv, and rm remain provided by GNU coreutils due to 8 unresolved TOCTOU race condition issues. The goal is full 100% rust-coreutils adoption in Ubuntu 26.10. 44 CVEs identified during the audit are also publicly disclosed.
Table of contents
What happened after the announcementPartnering with ZellicCurrent status for 26.04 LTSConclusionCVE disclosuresSort: