At Rust Week 2026 in Utrecht, Netherlands, Linux stable kernel maintainer Greg Kroah-Hartman delivered a keynote that would've sounded hyperbolic two years ago but now reads as simple arithmetic: AI is discovering security holes in the kernel faster than humans can patch them, and C code can't keep up. "I'm here to talk about untrusted data and Linux, and how Rust is going to save us," Kroah-Hartman opened. Then he doubled down: "You are going to save Linux. Sorry, it's all on you." The crowd wasn't just being polite โ they've been living the crisis firsthand.
The CVE Flood Is Real
Kroah-Hartman revealed that the kernel security team is now issuing roughly 13 CVEs per day, a rate he called "something crazy" after what he described as "a long month or two on the kernel security list." New vulnerabilities like Dirty Frag, Copy Fail, and Fragnesia have surfaced thanks to AI-powered bug-detection programs. For context: this man has reviewed every single kernel security flaw since 2005. When Kroah-Hartman sounds alarmed, you listen. He illustrated C's inherent weaknesses with a 15-year-old Bluetooth bug that dereferenced a pointer without checking it, and a Xen vulnerability where "we forgot to unlock" in an error path. "The majority of the bugs in the kernel are this tiny, minor stuff," he explained. "Error conditions aren't checked, locks aren't forgotten, unreleased memories leak." These individually seem trivial but accumulate into critical vulnerabilities over time.
Rust's Build-Time Advantage
Kroah-Hartman's core argument centers on where bugs get caught: in C, correctness is a human review problem; in Rust, it's enforced by the compiler. When it comes to locking primitives, he demonstrated how Rust's kernel abstractions make certain classes of errors literally impossible to write: "The only way you can get access to inner pointers of structures is by grabbing that lock, and releasing the lock automatically. The compiler does it." He put a number on it: "60% of the bugs in the kernel right there, they're gone. Thank you." The payoff isn't just fewer bugs โ it's cheaper reviews. With over 5,000 developers contributing to the kernel but only around 700 maintainers, review time is the scarcest resource in the project.
The Untrusted Data Model
Beyond locking and memory safety, Kroah-Hartman championed Rust's work on explicit input validation through an "untrusted" type wrapper. Borrowing a line from Microsoft Security: "All input is evil." In practice, this means marking untrusted data at the type level and forcing every access point to go through validation โ making review targets obvious rather than scattered across millions of lines of code. Kroah-Hartman's projection was stark: "This is what's going to save Linux, the combination of all the other stuff and the untrusted data. I think it's going to get rid of 80% of all the CVEs we have." That claim remains aspirational, but the type system provides a concrete mechanism to pursue it.
Even If Rust Disappeared Tomorrow
Here's the part that should make every systems programmer pay attention: Kroah-Hartman credits Rust with already forcing cleanup in C code. "We stole this from Rust. Thank you," he said. The kernel now has C-scoped locks and allocators inspired by Rust patterns, making it harder to get locking wrong even in new C code. When early Rust-for-Linux work required hundreds of lines of Rust bindings for two lines of C, Kroah-Hartman's reaction was pragmatic: "I can change the C code." That cross-pollination is now reshaping driver interfaces system-wide.
The Numbers Today
Kroah-Hartman provided hard figures: 36 million lines of Linux are currently in C, with approximately 113,000 lines written in Rust โ mostly bindings. Alice Ryhl and the broader Rust-for-Linux team have had to write bindings for virtually every kernel subsystem just to enable small drivers. The chicken-and-egg problem is real: maintainers resist adding unused bindings, but developers can't write Rust without them. Kroah-Hartman acknowledged they've bent that rule. Still, Android phones are coming soon running all-Rust Binder code โ a deployment that touches billions of devices.
This Is Not an Experiment Anymore
Kroah-Hartman closed with what amounts to a formal declaration from the top maintainers: "Last year, we said the Rust experiment is over. It's not an experiment. This is for real." The rationale wasn't philosophical โ it was empirical. The people behind Rust-for-Linux have demonstrated competence and staying power. They trust them. And in true Kroah-Hartman fashion, he signed off with characteristic dry humor: "Let's go full speed ahead. And, as always, world domination proceeds."
Key Takeaways
- Linux kernel maintainers are processing 13 CVEs per day, driven by AI-assisted bug discovery
- Rust's type system catches ~60% of common kernel bugs at compile time rather than during review
- An "untrusted data" model with explicit validation points could eliminate up to 80% of future CVEs
- Top maintainers have formally declared the Rust experiment over โ it's production-ready
- Android devices will soon run all-Rust Binder code, affecting billions of deployments
The Bottom Line
Kroah-Hartman isn't being dramatic when he says Rust will save Linux โ he's doing math. When AI can find bugs faster than your reviewer pool can catch them, you need a language where correctness is enforced by the compiler, not inspected by humans under deadline pressure. C served us for 30 years, but we're in a different threat landscape now. The question isn't whether Rust wins โ it's how fast adoption accelerates once maintainers see their CVE rates drop.