Not aimed at you but... no sh*t. The "Rewrite it in Rust" community never heard of the second-system effect.

I'd rather use something written in a crappier language that has been battle-tested for decades, personally.

Indeed, many bugs are API usage bugs, something that no language can verify. (The API is implemented in C anyway.)

I wish they'd put the severity. There are 4 highs, the rest are medium or low. Here are the high ones:

https://www.cve.org/CVERecord?id=CVE-2026-35338 - `chmod --preserve-root` can be bypassed. That doesn't seem that bad tbh.

https://www.cve.org/CVERecord?id=CVE-2026-35341 - `mkfifo` accidentally resets the permissions of files that already exist, so if you manage to do `sudo mkfifo /etc/shadow` then it becomes world readable.

https://www.cve.org/CVERecord?id=CVE-2026-35352 - TOCTOU in `mkfifo` lets you do the symlink trick to get it to change permissions on an unrelated file.

https://www.cve.org/CVERecord?id=CVE-2026-35368 - You might be able to get chroot to execute arbitrary code.

Tbh I doubt if any of these would ever result in a real hack, unless your system is doing really mental things like running shell scripts with untrusted input.

I could only find a couple of CVEs that looked actually serious for GNU Coreutils too though. IMO if you're using these tools with untrusted input your system is janky enough that there are going to be serious flaws in it anyway. Probably though quoting mistakes.