Rust Coreutils 0.9 Hardens Against Races and Unsafe Code

The uutils project shipped Rust Coreutils 0.9.0 at the end of May 2026. The release follows months of work triggered by a third-party security audit. That audit, funded by Canonical, uncovered dozens of issues. Many centered on time-of-check-to-time-of-use races. Others involved subtle differences from GNU behavior.

Developers responded quickly. They added a new safe_copy module inside uucore. They tightened recursive traversal logic in cp, mv and chmod. Rm now handles dot and dot-dot paths with extra care. Nohup creates its output file with mode 0600. Chroot resolves all user and group IDs before switching root. These changes close many of the reported problems. Phoronix first reported the release and its security focus (https://www.phoronix.com/news/Rust-Coreutils-0.9).

But 0.9.0 delivers more than fixes. The team cut the amount of unsafe Rust code across the board. Dozens of blocks disappeared. Low-level system calls moved from the nix and libc crates to rustix. The shift shrinks the attack surface. It also improves consistency on platforms beyond Linux.

Performance gains arrived too. Zero-copy I/O paths using splice, tee and pipe now accelerate cat, wc, head, tail, yes, cp, tee and unexpand. One benchmark showed unexpand running 7.5 percent faster. Cp from a pipe feels quicker on Linux. Tee uses raw syscalls instead of extra copies. These optimizations sit inside a reworked uucore::pipes and buf_copy layer. Real-world scripts that chain these tools stand to benefit.

Compatibility with GNU coreutils reached 90.4 percent on the test suite. The number looks lower than the 94.7 percent posted by version 0.8.0. The drop comes from upstream changes. GNU coreutils 9.11 added 25 new tests. The uutils suite now targets 690 tests instead of 665. Most of the extra failures trace to those new cases. No existing functionality regressed. The project continues to feed test cases and bug reports back to the GNU maintainers.

Platform support widened. WebAssembly and WASI gained ln, dd, mktemp and tty. Cygwin builds and continuous integration stabilized for date and stdbuf. Windows tty handling improved, including better msys2 path support. OpenBSD edge cases received triage. Internationalization advanced as numfmt and du now respect LC_NUMERIC for decimal separators.

Numfmt itself saw an overhaul. Precision rules tightened. Scientific notation is rejected. Zero-padding works for negative numbers. IEC units cap precision correctly. Multi-byte suffix widths calculate properly. These details matter for scripts that parse formatted output in different locales.

Ls received attention as well. Symlink target indicators in long format behave more like GNU. Link-count columns no longer inflate when ACLs appear. Version sorting and recursive mode fixed long-standing bugs. The permissions column width no longer depends on other columns. A refactor even lets crates such as nushell invoke ls logic without forcing all output to stdout.

Thirty new contributors joined for this cycle. Their patches touched everything from fuzz targets to documentation. The project maintains an online playground powered by WebAssembly so users can try commands in a browser. Translation efforts continue on Weblate.

The audit that shaped 0.9.0 traces back to Canonical’s push for Rust in Ubuntu. An April 2026 update on the Ubuntu Discourse site outlined 113 total findings from Zellic. Some reports pegged 44 of them as CVEs. Most were addressed by the time version 0.8.0 landed in Ubuntu 26.04. Yet eight TOCTOU issues remained in cp, mv and rm. Canonical kept those three utilities on the GNU versions for the LTS release. The stated goal is full Rust coreutils in Ubuntu 26.10 once the final gaps close. (https://discourse.ubuntu.com/t/an-update-on-rust-coreutils/80773).

Phoronix covered the audit results in detail days after the blog post appeared. The story noted 70 CVEs plus 73 additional issues. It highlighted the decision to retain GNU binaries for the three riskiest tools in 26.04 while aiming for 100 percent Rust coverage later. (https://www.phoronix.com/news/Ubuntu-Rust-Coreutils-Audit).

Ubuntu 25.10 already shipped Rust coreutils by default to gather real-world data. Bugs surfaced. They were fixed upstream within days. That rapid response quieted some early skeptics. Lead developer Sylvestre Ledru presented progress at FOSDEM 2026. He pointed out that many online criticisms had not aged well once the test coverage climbed and the audit findings were handled.

The GitHub release notes for 0.9.0 frame the cycle as one shaped by the audit. “This cycle was shaped by a third-party security audit, driving extensive TOCTOU hardening and a sustained, project-wide effort to shrink the amount of unsafe code,” the announcement states. It credits the Zellic report and links to a PDF summary. The notes also mention continued upstream collaboration with GNU. (https://github.com/uutils/coreutils/releases/tag/0.9.0).

Recent coverage echoes the same themes. Linuxiac reported the zero-copy improvements and TOCTOU-resistant copy logic on May 31, 2026. The story noted broader GNU compatibility updates and recursive traversal fixes. (https://linuxiac.com/rust-coreutils-0-9-released-with-security-and-performance-improvements/).

So the picture sharpens. Rust coreutils no longer sits on the sidelines as an experimental rewrite. It ships in major distributions. It passes most GNU tests. It fixes classes of bugs that C code has carried for decades. And each release trims unsafe code while adding speed where it counts.

Distributions face a choice. Keep patching decades-old C utilities that still harbor memory-safety risks. Or adopt a memory-safe alternative that still needs polishing around the edges. Canonical chose the latter path with eyes open. The audit made the risks transparent. The 0.9.0 release shows the project closing those gaps at a steady pace.

Watch Ubuntu 26.10. If the remaining TOCTOU work lands and the test suite climbs back above 94 percent, the transition could accelerate. Other vendors may follow. The core command line would then rest on Rust foundations by default. That shift carries consequences for everything from embedded systems to cloud images.

For now the code lives on GitHub. Anyone can build it, test it, file bugs. The playground link lets curious admins experiment without touching production. The momentum feels real. And the audit that could have slowed progress instead sharpened the focus.