内存安全类 CVE 在 Rust 和 C/C++ 之间存在差异。

内存安全类 CVE 在 Rust 和 C/C++ 之间存在差异。
How memory safety CVEs differ between Rust and C/C++

原始链接: https://kobzol.github.io/rust/2026/06/15/how-memory-safety-cves-differ-between-rust-and-c-cpp.html

由于 Rust 和 C/C++ 在处理内存安全及 API 契约方面存在根本差异，直接比较两者的 CVE 数量往往具有误导性。在 C/C++ 中，许多 API 本质上是脆弱的；它们往往缺乏类型系统的约束来防止“错误用法”（例如传递空指针），这可能导致内存损坏。由于这种情况非常普遍，C/C++ 的维护者很少为此类用法错误发布 CVE，否则数据库将会不堪重负。因此，安全的重担落在了用户身上，即便库存在被误用的风险，通常也被认为是“正常”的。相反，Rust 区分了安全代码（safe）和非安全代码（`unsafe`）。如果一个库提供了安全且稳定的 API，那么由此产生的任何内存错误——即使是由“错误”用法引起的——都被视为库层面的“可靠性”（soundness）漏洞，并会发布有效的 CVE。Rust 的设计将安全检查强制整合进库本身，确保只要不使用 `unsafe` 关键字，就无法导致内存损坏。因此，Rust 的 CVE 往往更加“严格”，涵盖了在 C/C++ 中会被直接忽略的边缘情况。这使得单纯的 CVE 数量比较无法准确衡量软件的整体稳健性。

链接中的 Hacker News 讨论聚焦于 Rust 与 C++ 在实际安全价值上的辩论。一位评论者认为，对于大多数开发者而言，Rust 的借用检查器（borrow checker）意义不大，并声称内存相关漏洞仅占典型应用程序 Bug 的 1%。他们指出，现代 C++ 的特性（如数组边界检查和强制初始化）已解决了大部分内存问题，而现实世界中大多数安全威胁（如供应链攻击和身份验证不当）并不会因内存安全性而得到缓解。相反，另一位参与者强调，Rust 并非内存安全的“万能药”。他们指出，通过语言中的健全性漏洞（soundness holes）、标准库中的缺陷或第三方依赖项中的问题，Rust 仍可能出现未定义行为（UB）。此外，他们认为，编写完全不含 `unsafe` 代码的安全程序对许多库作者来说极其困难，往往导致他们不得不依赖像 Miri 这样的工具，而这些工具本身也存在局限性。归根结底，这场讨论突显出：虽然内存安全性是一个关键议题，但选择某种语言所带来的实际安全影响是微妙的，且往往被更广泛的架构风险和供应链风险所掩盖。

原文

CVE is a database used for categorizing and reporting security vulnerabilities in software. There are various kinds of vulnerabilities that can be reported. Some of them are caused simply by bugs in the program logic (like a recent CVE reported in Cargo), but some of the most nasty ones are caused by memory unsafety, which can easily lead to exploits. In this post I want to focus on the latter kind of CVEs, how they are reported, especially in libraries, and how it differs between Rust and C or C++.

Because sometimes I see people online who compare the number of CVEs in Rust and C/C++ software, which tends to be accompanied by claims about Rust not being really memory safe or not being worth adopting when CVEs can still exist in it. And sometimes I also observe similar views when I teach Rust to programmers who are used to programming in C or C++.

Now, anyone is, of course, free to do such comparisons, and make their own conclusions based on it. But I think that there is an important difference in how potential vulnerabilities related to memory safety are treated in Rust and C/C++, which might not be obvious at first, especially if you don’t know how Rust works. I’d like to explain that in this post.

But first, I should clarify that it is absolutely possible to cause memory unsafety bugs and undefined behaviour in Rust. In the vast majority of cases^{, the unsafe keyword is required for
this to happen, but anyone who claims that Rust programs cannot experience UB at all is simply incorrect.
It is also perfectly possible to cause general vulnerabilities (meaning those unrelated
to memory unsafety) in Rust. Forgetting to add a check that your admin dashboard is only accessible to admins can happen in any language, after all.}

And yet, there is something very different between potential vulnerabilities in Rust and C or C++, which is related to the core reason of why Rust is actually much more memory safe in practice than C or C++. I’ll try to demonstrate it on the curl networking library, which is written in C.

Potential vulnerability in curl?

(lib)curl is one of the most used and well-maintained open source libraries in the world. Its primary developer, Daniel Stenberg, is one of the most prolific open source maintainers of our time, and together with many other people, he has been dilligently improving this library for the past 30 years. Despite having to deal with a recent avalanche of CVEs found by LLMs, he and his collaborators are doing a very good job of keeping curl safe from potential exploits and vulnerabilities, and they take pride in curl being a very robust piece of software.

So, let’s take that to the test, shall we? I opened the documentation of libcurl and found the first function I saw that accepts an argument, curl_getenv. This is supposed to be a simple function that provides a portable abstraction for getting the value of an environment variable across different operating systems. curl is supposed to be safe and robust, so surely this function doesn’t contain any UB or memory unsafety, right? So what about the following C program?

#include <curl/curl.h>

int main(void) {
    curl_getenv(NULL);
}

This 5-line C program is as simple as it gets, it just calls the curl_getenv function with a NULL pointer argument, and compiles without any warnings. And yet, when you execute it, you (might) get a segfault, and thus a memory safety bug, and thus a potential vulnerability/exploit:

$ gcc test.c -otest -lcurl -Wall -Wextra
$ ./test
Segmentation fault (core dumped)

Of course, this program is artificially simple, but that’s kind of the point. In practice, situations like this can (and do) easily happen in larger programs by accident all the time.

Huh. So maybe curl isn’t so safe after all? Should I go and report this as a vulnerability in curl?!

No, of course not. That would be stupid. I know that, you know that. But how do we actually know it? That’s the interesting part.

Consider a very similar program that would call the function like this: curl_getenv("FOO"). What if that program would still segfault, and thus contain a potential vulnerability? I am sure that the curl maintainers would like to know about that happening, and would consider it to be a pretty big issue if I reported it! At the same time, I’m sure that they would (rightfully) tell me off if I reported the first program as a vulnerability in curl. Yet those two programs differ only by so little.

So, what gives? Well, in practice, UB like the one in my original example is said to be caused by “wrong usage”^{, and it is not considered to be an issue in the library or API that I am using, but in my (application)
code. This is done mostly for the following two reasons:}

In C, it is often not possible to specify the contract (invariants, preconditions, postconditions, etc.) of APIs precisely^{due to its limited type system, and library authors often
don’t bother describing all possible kinds of wrong usage, as it would not be practical.}

Indeed, the documentation of curl_getenv does not say that calling it with NULL is forbidden and might lead to a segfault! The authors thus assume that you will use the library “correctly” (whatever that means), and if you don’t, then any caused vulnerabilities are your fault.
The fact that it is so simple to trigger UB by accident in C or C++ means that if we reported all the potential possibilities of causing a vulnerability, such as the one in my example program, most C or C++ libraries would be flooded by millions of CVEs. It wouldn’t make sense to do that, because there would be five different ways of potentially causing a vulnerability in every function call.

And thus, in C and C++, we usually do not consider similar situations to warrant a CVE in the used library. In other words, we create CVEs for specific misuses of a library, not for the existence of a library API that can be misused.

How does it differ in Rust?

So, what is the crucial difference between how the situation above would be treated in C or C++ and in Rust? hyper is likely the most popular networking/HTTP library in Rust, spiritually similar to libcurl in C. Imagine that hyper would have a similar simple function that would take an argument, I would write a Rust program like this:

fn main() {
    hyper::foo(None);
}

Then I’d hit cargo run, and the program would segfault. Would that be a CVE in hyper? Yes, absolutely^!

The program does not contain any unsafe blocks, so if a memory bug occurs, it had to be caused by the hyper library having a soundness bug.

The difference is that in Rust, when it is in any conceivable way possible to use a library such that a memory bug occurs, without using unsafe in the user code, it is always a bug in the library, not in the user code. That is why we call such APIs unsound, or say that they have a soundness hole, because there is a way to use them wrong (w.r.t. memory safety) in safe Rust.

In other words, we create CVEs when it is possible to use a safe library API in a way that might cause a memory bug, even if we haven’t (yet) found any program in the wild that would actually do so. This means that some of the CVEs reported in Rust are much more “strict” than the ones in C or C++, which some people don’t find “fair”.

If we applied the same logic to C, then curl_getenv should be flagged as a CVE in curl, because it is possible to use it in a way that causes a memory bug. But of course, this doesn’t really make sense in C, because there is no concept of safe and unsafe C (or rather, all C code is implicitly unsafe), which is why I said earlier that reporting this CVE would be stupid.

The answer to the question “do I use this function correctly” (with respect to memory safety issues, not logic bugs), which is often difficult to figure out in C or C++, is very simple in Rust:

If the called function is not marked with unsafe, then the answer is simply YES. It is impossible to use it incorrectly.
If the called function is unsafe, I must mark the call with an unsafe block, which makes it immediately obvious during code review and in the codebase that this place is potentially dangerous. In this (usually very rare) case, we revert back to the level of C or C++.

The first part of the answer is what enables Rust’s memory safety to scale in practice. If you do not use unsafe in your code, which is not needed in the vast majority of situations (unless you are writing something like an operating system or a lock-free data structure), and don’t encounter a compiler bug, you know that any potential causes of memory unsafety are not your fault. If a library does not expose any unsafe interface, you simply cannot use it in a way that would cause memory bugs, unless the library uses unsafe internally and has a bug. But if that happens, the bug is fixed within that library, and all its users are then again automatically safe from memory bugs.

This is the difference between Rust and C or C++. Even though the developers of curl are doing awesome work to build a perfectly safe and robust C library, the millions of other C programs that use it can still very easily introduce memory unsafety just by “holding it wrong”, without the curl developers having any way of preventing that.

Conclusion

I used curl as an example, but the same holds for pretty much any C or C++ library, including the standard libraries of those two languages (and also other memory unsafe languages in general). Originally I wanted to show more examples, but in the end I realized that they are all the same, so I stayed with the single curl function, because I think it demonstrates the difference well.

What I described in this blog post is not really ground-breaking in any way, and I think that it is kind of universally understood by most people who know how Rust works. But I also don’t remember seeing any blog post about this, and I was repeatedly explaining it to some people, so I wanted to write down some thoughts about it, so that I can simply link to them the next time this debate happens again.

I hope that what I described above shows that comparing raw numbers of CVEs per line of code of Rust and C or C++ is all kinds of misleading, and we should take that into account when comparing the memory safety of Rust and other systems programming languages.

If you have a different idea on how CVEs (should) work in Rust or C/C++, let me know on Reddit.