Canonical has published preliminary results of an independent security audit of the uutils coreutils (Rust Coreutils) toolkit, written in the Rust language and partially used in Ubuntu instead of the GNU Coreutils package. The audit was performed by Zellic, which has experience in analyzing vulnerabilities in Rust projects. During the audit, 113 security issues were identified.
A report (PDF, 156 pages) with the results of the first stage of the audit, covering the most important utilities from the set, is now available uutils. At the first stage, which was carried out from December 2025 to January 2026, 73 vulnerabilities were identified, of which 7 were marked as critical, 11 as dangerous, 29 as medium risk and 26 as non-hazardous.
The second stage of the audit was carried out from February to March and covered minor utilities that were not tested in the first stage. At the second stage, 40 vulnerabilities were found, the danger of which has not yet been detailed (the report is planned to be published later). Information about all identified issues has already been transferred to uutils developers and most of the vulnerabilities have been fixed in releases uutils 0.5-0.8 without unnecessary publicity and marking the connection between the corrections introduced and the elimination of vulnerabilities.
The rust-coreutils package was enabled by default in the autumn release of Ubuntu 25.10, but taking into account the problems identified during the audit in the LTS branch Ubuntu 26.04 returns the cp, mv and rm utilities from the GNU Coreutils set. It is