Greg Kroah-Hartman: Rust is Linux’s security answer

Rust will – Linux’s top stable kernel maintainer Greg Kroah-Hartman argued at Rust Week 2026 in Utrecht, Netherlands that Rust is the path to “save Linux” amid an AI-driven surge of serious kernel vulnerabilities, citing specific bugs, the rising pace of CVEs, and the way

For a long month or two, the kernel security list has been filling up fast. Greg Kroah-Hartman said he’s seen it all before—since 2005, he claims to have witnessed “every single kernel security bug ever.” But what’s happening now feels different in its speed and volume.

On the Rust Week 2026 main track, in Utrecht, Netherlands, the Linux stable kernel maintainer walked onstage with a blunt promise. “I’m here to talk about untrusted data and Linux. and how Rust is going to save us.” Then. after laying out why he thinks the security picture keeps worsening. he pushed it even harder: “I’m going to make even a bolder statement and say. ‘You are going to save Linux.’ Sorry. it’s all on you.”.

The urgency behind that language isn’t theoretical. Kroah-Hartman said the kernel team has been hit by a sudden flood of serious Linux security holes—vulnerabilities that have come to light thanks to the latest AI bug-detection programs. He pointed to examples including Dirty Frag, Copy Fail, and Fragnesia.

And in the middle of that scramble, the pace of disclosure is startling. Kroah-Hartman said the kernel team is now issuing “13 CVEs [Common Vulnerabilities and Exposures] a day. or something. something crazy.” It’s a number that lands like a warning: not just that vulnerabilities exist. but that the system for finding them is suddenly producing far more than before.

He believes Rust is one of the few realistic ways to reduce the kinds of bugs that keep recurring in C—particularly those tied to traditional error-handling and resource-management pitfalls. He illustrated those pitfalls with real C mistakes inside the kernel. including a 15-year-old Bluetooth bug where a pointer was dereferenced without checking it. and a Xen bug where “we forgot to unlock” in an error path.

Kroah-Hartman’s description of what most kernel bugs look like is plain and unforgiving. “The majority of the bugs in the kernel are this tiny, minor stuff,” he explained. Error conditions aren’t checked. Locks aren’t forgotten. Unreleased memories leak. “They crash the kernel. This is what we live with in C. This is why we don’t like it.”.

Rust, in his telling, doesn’t just replace C. It changes when and how the mistakes get stopped. Kroah-Hartman singled out what he called the “best beauty of Rust”: catching those mistakes at build time rather than in review. With locking. he described Rust’s locking abstractions in the kernel in terms that sounded almost like a promise from the compiler itself.

“The only way you can get access to inner pointers of structures is by grabbing that lock. and releasing the lock automatically. The compiler does it, it’s guarded, the lock happens, everything’s happy. You just can’t write code to access these values… without grabbing the lock. The compiler will not let you.”.

He then translated that into a concrete impact claim. “This is going to save us those two things. First, 60% of the bugs in the kernel right there, they’re gone. Thank you.” The key reason. he argued. is earlier enforcement: if correctness gets enforced at build time. it doesn’t rely on a maintainer catching the right issue at the right moment.

Kroah-Hartman said review time is the scarcest resource inside the kernel project. “We optimize for making code easy to review. ” he said. arguing that when maintainers can glance at a pattern and see it’s correct. fewer bugs slip through. With more than 5. 000 developers and only around 700 maintainers. he framed Rust as a way to make that review process more manageable.

Even his criticism has a second layer. He said Rust’s influence doesn’t stop at language features. It pushes the surrounding C code to evolve too. Kroah-Hartman recalled an earlier Rust-for-Linux conference where he saw “hundreds of lines of Rust code to deal with two lines of C code. ” which made him realize. “I can change the C code. We can change the C code to make the Rust code simpler. We have no problem changing both sides of this barrier. Let’s do that.”.

He credited the Rust-for-Linux team for reshaping driver interfaces, saying the work “is going to make drivers simpler to write and harder to write [wrong]… They’ve done a great, great job.”

Underneath all of it is a specific security philosophy he tied to both Rust and the direction of modern kernel work: untrusted data. Borrowing words attributed to Microsoft Security. he told the audience: “If you never remember anything else in my talk. just remember these four words. It came from Microsoft Security many, many years ago. They realized all input is evil. You have to validate all input.”.

He described ongoing work in Rust on an “untrusted” type wrapper and a validate method meant to force explicit validation when data crosses from untrusted to trusted. “We have something called untrusted to type add it to the data. and every time you want to actually get access to this data. it’s just a type. it’s not actually code. it’s going to hint to the compiler. You must go through validation before you actually access it.”.

For reviewers, that design changes where attention goes. “The one section of the code. you can see all the code that does the validation of the transformation from user space. untrusted data to trusted data in one spot.” He also broadened it to hardware. saying Linux increasingly can’t assume it’s dealing with safe components. “The model and the kernels, we don’t even trust hardware. Hardware is full of bugs. but now you can have malicious hardware. and we’re seeing more and more malicious hardware.”.

His forecast was sweeping. “This is what’s going to really save us,” Kroah-Hartman said, tying Rust’s compile-time enforcement and untrusted-data discipline together. “I think I’m going to make this unscientific quote. This is going to save Linux, the combination of all the other stuff and the untrusted data. I think it’s going to get rid of 80% of all the CVEs we have. and that’s a huge. huge number.”.

Rust, he warned, isn’t magic—and it shouldn’t be sold that way. He pointed to one of the first Rust components merged into the kernel: QR code display logic used when the kernel crashes. That logic. he said. famously had a memory bug because it accepted a buffer and its size. and the rest of the C code never checked the buffer size—“Could scribble all over memory. because Rust can crash just as bad as C.”.

So he set limits for how Rust should spread. He also rejected the idea of rewriting what already exists. When an attendee asked whether he encouraged rewriting existing kernel code with Rust. Kroah-Hartman answered: “No. we don’t want rewrites. so unless you’re the maintainer and owner of that file. just do it for new stuff. Leave existing C code alone, and let’s evolve forward after that.”.

He offered Binder. Android’s core interprocess communication (IPC). as an example of a careful transition where C and Rust implementations coexist temporarily to reach parity. After parity. he said. “they’re going to delete the C code. because I trust them. and they are the owners and maintainers of both those.”.

Over time. he expects Rust to gain more weight—not by insisting everything changes overnight. but by aligning the safest growth path with new subsystems. He said some subsystems have said that “only new drivers for graphics should be written in Rust. ” and that the project is now near a point where “you can write really good drivers for all different types of subsystems in Rust and Linux.” He predicted that “over the next year or two. you will see this.”.

The broader philosophy, he said, is evolutionary. “Linux is evolution, it’s not intelligent design,” Kroah-Hartman told the audience. “We evolve over time, and over time, new drivers for new hardware come in. You’ll start using that new hardware. The old driver just won’t get used anymore. Eventually, we’ll delete them, as we do after about 20 years.”.

In the meantime, he quantified where Rust stands inside the kernel today. “Today, 36 million lines of Linux are in C, with 113,000 lines of Rust. Most of all. this is binding.” He explained that because drivers make up much of the kernel. “Alice Ryhl. a top Rust Android programmer and the Rust-for-Linux developers. have had to go and write bindings for everything in order to write a tiny driver in Rust.”.

That binding work comes with its own tradeoffs. He said the community doesn’t like adding code to the kernel that isn’t being used, calling it “hard to add a binding… unless you have a user for it.” He described it as a “chicken-and-egg problem,” saying “we’ve had to bend that rule a little bit.”

And he pointed to deployments he expects to bring Rust from conference talk into daily life. “Android phones will be coming out, hopefully soon, running all the [Rust] code in Binder. So that’s again, billions of devices can be running Rust in Linux soon.”

Behind the push is a belief that Rust makes the work of maintainers easier, not heavier. He said CI [Continuous Integration] bots enforce builds and Rust’s type system enforces key invariants. letting maintainers “focus on the logic” instead of resource bookkeeping. “I can care about that one function. I don’t have to worry about the rest of this stuff. because I assume that it works properly. because it was built properly.”.

Inside the kernel leadership circle, Kroah-Hartman says the decision is already settled. “The Linux kernel maintainers, we get together every year and talk about what the processes are doing. Last year, we said the Rust experiment is over. It’s not an experiment. This is for real.”

He closed with the kind of wry confidence that has become part of his public style. “The people behind it are real. We trust them. We know what they’re doing. They’ve shown and put in the work to make Rust a viable language in the kernel. and we’re going to make this stick. Let’s go full speed ahead. And, as always,” he said, adding: “world domination proceeds.”.

Rust Linux kernel Greg Kroah-Hartman CVEs Dirty Frag Copy Fail Fragnesia Rust-for-Linux untrusted data cybersecurity Binder Android IPC CI security bugs