ACE Journal

Memory-Safe Rewriting of Linux Kernel Subsystems in Rust

Abstract

The Linux kernel’s ongoing Rust integration, which reached in-tree support with kernel 6.1 in late 2022 and has expanded steadily since, entered a new phase in early 2026 as maintainers began targeted rewrites of high-risk C subsystems. This article examines the security rationale for memory-safe rewrites, the practical boundaries of what Rust guarantees in kernel space, and the technical and organizational friction that slows adoption despite clear vulnerability reduction data.

Why Kernel Memory Safety Matters Now

Roughly 67-70% of serious Linux kernel CVEs over the past decade trace back to memory-safety violations: use-after-free, buffer overflows, uninitialized reads, and integer wraps that corrupt adjacent memory. These bugs are disproportionately costly because the kernel operates in ring 0 with unrestricted hardware access. A single exploitable use-after-free in a network driver or filesystem layer can yield full local privilege escalation or, in containerized environments, container escape. The appeal of Rust is straightforward: its ownership model eliminates whole classes of these bugs at compile time, without a garbage collector and without sacrificing zero-cost abstractions.

What Early Kernel Rust Actually Covers

As of January 2026, Rust in the mainline kernel is not a wholesale rewrite. The infra provides safe abstractions over kernel primitives - spinlocks, reference-counted objects, file descriptors - and the first merged Rust drivers target simple, well-bounded subsystems like the Apple IOMMU and the NVMe PHY layer. The more security-sensitive targets being prototyped externally include the io_uring subsystem (which has been a prolific CVE source), parts of bpf, and selected network driver families. The key constraint is that safe Rust in kernel context still calls into unsafe C for most kernel services; the guarantee is narrower than userspace Rust, because the runtime invariants the compiler assumes (valid stack, no concurrent mutation without synchronization) must be upheld manually at the C/Rust boundary.

Friction Points and the Path Forward

Maintainer resistance is real. Long-tenured subsystem owners face a steep Rust learning curve, and the kernel community has no consensus on how to handle mixed C/Rust modules in terms of review burden and ABI stability. The rustc version pinning policy inside the kernel tree also creates tension with the Rust toolchain’s rapid release cadence. The LKML threads around the proposed Rust rewrite of the fs/ext4 path in late 2025 illustrated all of these tensions. Despite friction, the direction is settled: the Linux Foundation’s security team and major kernel contributors at Google, Meta, and ARM are all funding Rust kernel work. The expected near-term payoff is fewer zero-days in the network stack and block layer, the two surfaces most exposed to untrusted input.

Practical Takeaways for Security Teams

Organizations running custom kernel builds or kernel modules should begin assessing Rust toolchain readiness in their build pipelines now. Teams maintaining out-of-tree drivers written in C for security-sensitive applications - network inspection, storage encryption, container runtime - should treat the upstream Rust rewrite roadmap as a signal to plan rewrites or wrappers rather than waiting for forced migration. Static analysis tools like Coccinelle and smatch remain the best near-term complement; they catch many of the same classes Rust would eliminate, on existing C code.