Skip to content
DevMeme
7031 of 7435
Bar Chart Trolls Rust: More Kernel CVEs Per Million Lines Than C
Languages Post #7709, on Feb 14, 2026 in TG

Bar Chart Trolls Rust: More Kernel CVEs Per Million Lines Than C

Why is this Languages meme funny?

Level 1: The New Kid's Spelling Test

Imagine a new kid joins class and takes one spelling quiz with three words, getting one wrong — that's 33% wrong! Meanwhile, a kid who's been there all year has spelled a thousand words and missed fifty — only 5% wrong. Someone makes a poster declaring the new kid is "the worst speller in school." It's funny because the math is technically real but obviously unfair — one quiz can't be compared to a whole year — and the poster was clearly made just to start a fight at recess. Computer folks make posters like this about their favorite programming languages all the time.

Level 2: CVEs, Kernels, and Small Numbers

A CVE (Common Vulnerabilities and Exposures) is a publicly cataloged security flaw — each gets an ID like CVE-2024-12345. The Linux kernel is the core of the Linux operating system, historically written in C, a fast language that lets you manipulate memory directly — and therefore lets you corrupt it, the root of most severe security bugs. Rust is a newer language whose compiler refuses to build code containing whole classes of those memory mistakes, which is why the kernel recently started accepting Rust code for drivers.

"Per million lines of code" is a normalization: dividing bug counts by code size so big and small codebases can be compared. The trap, which this chart exploits, is small sample size. If a project has only a tiny amount of Rust, then just one or two bugs produce a scary-looking rate, while C's rate is averaged over an enormous, decades-old codebase. It's like comparing a rookie driver's accident rate after one week to a veteran's after thirty years.

The career lesson: whenever a chart confirms something controversial a little too neatly, ask three questions — what's the sample size, where's the data from, and who benefits from me sharing it angrily?

Level 3: How to Lie with Matplotlib

The chart is engineered engagement bait, and its craftsmanship deserves grudging respect. Title: "Linux Kernel CVEs Per Million Lines of Code." Two bars: Rust at 8.33, C at 5.53, each watermarked with its language logo. No error bars, no sample sizes, no methodology note, no source — just a clean, plausible-looking matplotlib render whose entire rhetorical payload is "the memory-safe language is measurably less safe." It is precision-targeted at the most flammable identity war in systems programming.

Veterans of the Rust-for-Linux saga will recognize why this lands. The initiative — merging Rust infrastructure into the kernel to write drivers with compile-time memory safety — has produced years of legendarily heated LKML threads, maintainer resignations, and Linus pronouncements. Each camp has its grievance: C maintainers resent learning a second language to review patches touching their subsystems; Rust advocates point at the decades of use-after-free and out-of-bounds CVEs that constitute the majority of serious kernel vulnerabilities. Into that powder keg, someone tosses a normalized metric where the new code looks worse.

The meta-joke for the statistically literate: a denominator is not a methodology. Normalizing by lines of code feels rigorous — it's the same instinct that produces "defects per KLOC" in management decks — but it silently assumes comparable scrutiny, comparable age, comparable attack surface, and enough events for the rate to stabilize. None hold here. New code of any language gets a burst of early CVEs precisely because it's getting fresh adversarial attention. The chart is thus a Rorschach test: what you see in it reveals your priors, which is exactly what makes it perfect language-war ammunition.

Level 4: Affine Types Meet Poisson Noise

Two genuinely deep topics collide in this single troll chart. The first is what Rust actually claims. Its borrow checker is applied type theory: ownership implements an affine type system (values usable at most once), and the aliasing-XOR-mutability rule statically excludes data races and use-after-free in safe code. But the Rust-for-Linux effort lives heavily in unsafe territory by necessity — FFI across the C boundary, raw pointer manipulation of kernel data structures, hand-rolled abstractions over locking primitives the type system can't see. The soundness guarantee is conditional: safe Rust is only as safe as the unsafe blocks it's built upon. So kernel Rust CVEs are not a paradox; they're the expected residue of the trusted-computing-base problem. The proof obligations don't disappear — they concentrate.

The second is why "per million lines" is statistically radioactive here. CVE discovery is a rare-event counting process; model it as Poisson and the variance of a rate estimate explodes as the denominator shrinks. The kernel has roughly tens of millions of lines of C and only a tiny Rust footprint — meaning the orange bar's 8.33 could plausibly be generated by literally one or two CVEs. A 95% confidence interval on that estimate would dwarf the entire y-axis. The gray bar at 5.53 aggregates three decades of fuzzing, static analysis, and syzkaller grinding against mature code; the orange bar aggregates a toddler. Comparing them as point estimates is the base-rate fallacy wearing a lab coat.

Description

A matplotlib-style bar chart titled 'Linux Kernel CVEs Per Million Lines of Code' comparing two bars: Rust (orange bar, Rust gear logo watermark) at 8.33, and C (gray bar, hexagonal C logo watermark) at 5.53, on a y-axis from 0 to 10. The chart appears designed to provoke the Rust-vs-C memory-safety debate by showing Rust with a higher CVE density in the Linux kernel than C. The statistical bait is the denominator: the kernel contains tens of millions of lines of mature, battle-hardened C versus a tiny, brand-new Rust footprint, so even a handful of Rust CVEs yields a huge per-million-LOC rate - a textbook small-sample / base-rate fallacy weaponized for language-war engagement

Comments

17
Anonymous ★ Top Pick With ~30 million lines of C and a rounding error of Rust in the kernel, this chart proves only one vulnerability: dividing by a small denominator
  1. Anonymous ★ Top Pick

    With ~30 million lines of C and a rounding error of Rust in the kernel, this chart proves only one vulnerability: dividing by a small denominator

  2. @zaspirin 4mo

    Blazing fast CVE accumulation 🚀🚀🚀

  3. @OrkWard 4mo

    source?

    1. @tuguzT 4mo

      "I made it up" wait for it

    2. @SamsonovAnton 4mo

      Open source, of course! 📱🤓

  4. @LonelyGayTiger 4mo

    I'm pretty sure there's all of exactly one rust CVE, and it's just DOS.

    1. @OrkWard 4mo

      Sound fair, so there are about 120,000 loc of rust in kernel src tree (probably less then 1% of c)

      1. @LonelyGayTiger 4mo

        Looks like as of this time last year it was about 20k lines of Rust. Google's AI summary claims 25k, but doesn't cite any sources.

  5. @LonelyGayTiger 4mo

    And yeah, the kernel treats all crashes as DOS CVEs, so it's not even like the one Rust CVE is actually a problem. Not a real security risk.

  6. @volkov_s 4mo

    Probably 1 line of Rust carries more actual logic than 1 line of C

    1. @nwordtech 4mo

      You can put way more unwraps on single line of rust code

    2. @GioMetal 3w

      that is because the real work is abstracted or people like you cry :(

  7. @H3R3T1C 4mo

    1 of 2 is 50%..... 5 of 100 is 5%

  8. @Agent1378 4mo

    Hahahahahahshshaaaaaa

  9. @q_rsqrt 4mo

    gotta apply that wd-40

  10. @hkalbasi 4mo

    Linux had 3k CVEs just in 2025, so unless it has 1B lines of C code, this is wrong

  11. @qtsmolcat 4mo

    It's almost like rust is a tiny portion of the codebase or something

Use J and K for navigation