Use-After-Free Landscape: Temporal vs Spatial, kCFI, and the Proven-by-Construction Story
The 2024-2026 industry picture on temporal memory safety, kernel mitigations, and the convergence of UAF defences.
Tag
Industry
11 notes
curl, Daniel Stenberg, and the "Is C/C++ The Actual Problem?" Debate
Stenberg's curl CVE data, the Hyper / Rust experiment, and the unresolved 2026 question of whether memory-safe languages are the whole answer.
Chrome Memory-Safety Data and the Rust-in-Chrome Rollout
Chrome Security's published per-quarter memory-safety data for 2024-2026, the JSON / PNG / fonts Rust rollouts, and the V8 sandbox.
EU Cyber Resilience Act and Memory Safety
The CRA's 2026-2027 enforcement timeline and the implicit pressure toward memory-safe languages.
DoD Safe Coding Practices and Military / Aerospace Memory-Safety Procurement (2024-2026)
The DoD's evolving acquisition posture on memory-safe languages, the SWFT framework, and aerospace coding standards.
White House ONCD "Back to the Building Blocks" (February 2024)
The White House Office of the National Cyber Director's memory-safety report and the C/C++-adverse federal stance.
NSA "Software Memory Safety" Guidance (2022) and the June 2025 Reissue
The NSA's formal language-level guidance, the named-language list, and the joint CISA reissue.
CISA Secure-by-Design Pledge and the January 2026 Memory-Safety Deadline
The voluntary US federal pledge that has set the de-facto industry baseline for memory-safety roadmaps.
Google: Android Rust, Chrome Rust, V8 Sandbox
Google's published 2022-2026 data on memory-safety progress — Android's 76% → <20% trajectory, the CVE-2025-48530 near-miss, the V8 sandbox.
Microsoft "70% of CVEs Are Memory Safety" Statistic
The canonical industry data point on memory-safety vulnerability prevalence, and every follow-up through 2026.
Industry, Policy, and Deployment Data
Microsoft 70%, Google/Android Rust, CISA Secure-by-Design (Jan 2026), NSA CSI, ONCD, DoD SWFT, EU CRA, Chrome CVE data, curl, UAF landscape.