|
|
Log in / Subscribe / Register

CVEs for experimental (rust) code ?

CVEs for experimental (rust) code ?

Posted Dec 23, 2025 16:07 UTC (Tue) by moltonel (subscriber, #45207)
Parent article: The state of the kernel Rust experiment

I've seen a lot of disagreement on that topic, and no clear "official" statement.

Would a CVE filed against an experimental feature get rejected ? Is the CVE assignment process systematic/exhaustive enough to catch all bug fixes ? Is the main reason we have so few CVEs for the rust experiment that experimental code is intentionally excluded ? Is CVE-2025-38033 a counter example ?

to post comments

CVEs for experimental (rust) code ?

Posted Dec 25, 2025 7:57 UTC (Thu) by gregkh (subscriber, #8) [Link] (2 responses)

> Would a CVE filed against an experimental feature get rejected ?

No.

> Is the CVE assignment process systematic/exhaustive enough to catch all bug fixes ?

We hope so, if we miss any, please let the developers at cve@k.o know.

> Is the main reason we have so few CVEs for the rust experiment that experimental code is intentionally excluded ?

No.

And as always, people can just _ask_ the kernel cve maintainers stuff like this if they are curious :)

CVEs for experimental (rust) code ?

Posted Dec 26, 2025 19:25 UTC (Fri) by moltonel (subscriber, #45207) [Link] (1 responses)

Thanks for these insights. Sorry for lazily asking here instead of on the cve ml.

So, what do you think is the reason we had so few RfL CVEs so far ? Is that related to the code being considered "experimental" ? Does CVE-2025-38033 count as a RfL CVE ? It's hard to imagine that no bugs had been found yet, maybe the fixes were not backported to stable kernels ?

CVEs for experimental (rust) code ?

Posted Dec 27, 2025 9:04 UTC (Sat) by gregkh (subscriber, #8) [Link]

> So, what do you think is the reason we had so few RfL CVEs so far ?

Perhaps because there has not been much rust code that is used in the kernel before now? That's just my guess, could be wrong.

> Is that related to the code being considered "experimental" ?

Again, no, the cve team does not use that as a criteria at all.

> Does CVE-2025-38033 count as a RfL CVE ?

No idea, feel free to count if it you want to :)

> It's hard to imagine that no bugs had been found yet,

Take a look at the code changes over time to determine this is true or not, I do not know.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds