Comment by AlotOfReading

6 months ago

    There is this dumb belief stemming from lack of proper CS education that any code you write can just randomly have memory safety issues.

This is effectively true in C and C++ though. Show me a nontrivial project in either of those languages that has never had a memory safety issue and I'll show you a project that doesn't look at quality. Even SQlite doesn't meet this bar, despite incredibly skilled programmers and an obsessive commitment to quality.

2 comments

AlotOfReading

ActorNightly 6 months ago

>Show me a nontrivial project in either of those languages that has never had a memory safety issue

I mean, the linux kernel is a pretty good example. Static analyzers and things like valgrind exist for a reason.

AlotOfReading 6 months ago

There's been over a thousand memory safety CVEs in the kernel this year alone [0], the most recent published 2 days ago. Most of these aren't exploitable and are caught before stable, so I went to LWN instead and "scrolled down" until I saw an article that mentioned a memory safety vuln in stable kernels. "Scrolled down" is in quotes because there was no scrolling involved. Today's Friday security updates post links USN-7861-3 [1], which includes fixes for memory safety issues like CVE-2025-37838 [2].
[0] https://www.cvedetails.com/vulnerability-list/vendor_id-33/p...
[1] https://lwn.net/Articles/1046495/
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-37838