Memory safety CVEs differ between Rust and C/C++
5 hours ago
- #Rust-vs-C
- #CVE-comparison
- #memory-safety
- CVE database reports security vulnerabilities, with memory unsafety types being particularly severe and exploit-prone.
- Rust and C/C++ treat potential memory safety vulnerabilities differently; in Rust, safe APIs guarantee memory safety without unsafe blocks.
- In C/C++, triggering undefined behavior through library misuse (like passing NULL to curl_getenv) is considered user error, not a library vulnerability.
- Rust CVEs are reported for any safe API usage that could cause memory bugs, even if not exploited, due to Rust's safety guarantees.
- C/C++ libraries often lack precise API contracts, leading to UB risks that are not typically flagged as CVEs, unlike in Rust.
- Rust's separation of safe and unsafe code scales memory safety, shifting responsibility for bugs to libraries when safe APIs are involved.
- Comparing raw CVE counts between Rust and C/C++ is misleading due to these differing vulnerability reporting standards.