The Great Userland Oxidation: Rust Coreutils 0.9.0, the Zellic Audit, and Microsoft's Windows Port

For years, the dream of "oxidizing" the operating system userland has been a passionate community effort. Rewriting core command-line utilities—like cat, ls, cp, and mv—in Rust promised to eradicate the memory-safety bugs that have plagued GNU systems for decades.

With the release of Rust Coreutils 0.9.0 (uutils), that dream has transformed into an enterprise-grade reality. Propelled by a rigorous third-party security audit for Ubuntu 26.04 LTS and a surprise native integration announcement by Microsoft, Rust is officially taking over the terminal.

---

The Zellic Audit: Solving Bugs the Borrow Checker Missed

When Canonical decided to replace traditional GNU Coreutils with Rust’s uutils in Ubuntu, they knew an internal check wouldn't cut it. They commissioned Zellic, a elite cybersecurity research firm, to conduct a comprehensive external audit.

The audit surfaced a crucial realization: the borrow checker does not protect against logical race conditions.

While Rust inherently prevents buffer overflows and use-after-free errors, it cannot natively block TOCTOU (Time-of-Check to Time-of-Use) vulnerabilities. In filesystem utilities, a TOCTOU bug occurs when a program verifies a file's state (the Check) but an attacker swaps the file with a symbolic link before the program executes its operation (the Use).

To eliminate these logical flaws, Coreutils 0.9.0 introduces a brand-new, TOCTOU-resistant copy engine under the uucore::safe_copy module. This architecture ensures that file descriptors are opened and operated on atomically, making mid-operation directory-swapping attacks impossible.

---

Purging C Dependencies with rustix and Zero-Copy I/O

Security in Coreutils 0.9.0 goes beyond logic fixes. The developers undertook a massive campaign to shrink the remaining footprint of unsafe code.

Previously, uutils relied on bindings like nix and libc to talk to the operating system. This required writing raw C-style pointers. Coreutils 0.9.0 migrates these low-level system calls to rustix, a pure-Rust system call interface. By stripping out C-runtime bindings, the codebase minimizes raw memory manipulation to an absolute minimum.

On the performance front, the release introduces raw, zero-copy I/O optimizations:

• Zero-Copy Pipelines: Utilizing raw Linux system calls like splice, tee, and pipe, utilities can pass data directly between kernel buffers.
• The "tee" Hack: High-throughput utilities like yes and cp now use tee natively, allowing them to pipe gigabytes of data with virtually zero CPU overhead.

---

Microsoft Joins the Oxidation Wave

Perhaps the most surprising twist came from Redmond. At Microsoft Build 2026, Microsoft announced "Coreutils for Windows".

Rather than wrapping commands in emulation layers or utilizing WSL, Microsoft has compiled uutils natively for Windows shells. Windows developers can now run commands like cat, ls, and uptime natively using highly optimized, memory-safe binaries compiled in pure Rust.

As Rust Coreutils 0.9.0 proves, rewriting the core of computing isn't just about avoiding crashes—it's about building a faster, atomic, and truly cross-platform future.