Google’s Adoption of Rust Significantly Reduces Android Memory Safety Vulnerabilities
In a significant advancement for Android security, Google has reported that the integration of the Rust programming language into the Android operating system has led to a substantial decrease in memory safety vulnerabilities. For the first time, these types of vulnerabilities now constitute less than 20% of the total identified issues.
Jeff Vander Stoep, a member of Google’s Android security team, highlighted the impact of this transition:
We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android’s C and C++ code. But the biggest surprise was Rust’s impact on software delivery. With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one.
This development follows Google’s earlier disclosure that the shift to Rust had reduced memory safety vulnerabilities from 223 in 2019 to fewer than 50 in 2024.
The adoption of Rust has not only enhanced security but also improved development efficiency. Rust code requires approximately 20% fewer revisions compared to C++ code, leading to a decreased rollback rate and increased overall development throughput.
Looking ahead, Google plans to extend Rust’s security and productivity benefits to other components of the Android ecosystem, including the kernel, firmware, and critical first-party applications such as Nearby Presence, Message Layer Security (MLS), and Chromium. Notably, Chromium has already replaced its parsers for PNG, JSON, and web fonts with memory-safe implementations in Rust.
Despite the advantages of Rust, Google emphasizes the importance of a comprehensive, defense-in-depth approach to memory safety. The built-in memory safety features of Rust are considered one part of a broader strategy.
An illustrative example of this approach is the discovery of a memory safety vulnerability (CVE-2025-48530, CVSS score: 8.1) in CrabbyAVIF, an AVIF (AV1 Image File) parser/decoder implemented in unsafe Rust. This flaw could have led to remote code execution. Although the vulnerability did not reach a public release, it was patched by Google in the August 2025 Android security update.
Further analysis revealed that the vulnerability was rendered non-exploitable by Scudo, a dynamic user-mode memory allocator in Android designed to combat heap-related vulnerabilities such as buffer overflows, use-after-free, and double-free errors, without compromising performance.
Google acknowledges that while unsafe Rust is considerably safer than C and C++, the inclusion of an unsafe code block in Rust does not automatically disable the language’s safety checks. The company recognizes that C and C++ will continue to be part of the development landscape, and that both software and hardware safety mechanisms remain critical for layered defense. However, the transition to Rust offers a more secure and efficient development path.
In conclusion, Google’s adoption of Rust in Android development has led to a significant reduction in memory safety vulnerabilities, enhanced development efficiency, and a more secure operating system. This strategic shift underscores the importance of adopting memory-safe programming languages in modern software development to improve security and productivity.
