• Category: Engineering post
  • Status: discussion
  • Sources: Kobzol's blog, HN discussion
  • Summary: In a post dated 2026-06-15, Jakub Beranek (Kobzol) argues that raw CVE counts mislead when comparing Rust and C/C++ memory safety because the two ecosystems apply different reporting standards. Using curl_getenv() as the worked example, he notes that in C/C++ a crash caused by "wrong usage" such as passing NULL is treated as caller error and usually not reported as a library CVE, whereas in Rust, if safe (non-unsafe) code can trigger memory unsafety without misuse, it is a library bug and a reportable CVE. The claim is that Rust's unsafe boundary makes a soundness obligation explicit, so Rust libraries may file more memory-safety CVEs without being less safe.
  • Why it matters: Teams using CVE counts to compare language safety in procurement or risk reviews can draw the wrong conclusion if they do not account for the differing thresholds for what counts as a reportable library vulnerability.

Send feedback on this story