By The experiment that changed everything just ended. At the 2025 Kernel Maintainer Summit in Tokyo last week, Linux kernel maintainers declared Rust permanent. After three years of evaluation since merging in Linux 6.1, the verdict is in: “The experiment is done, i.e. Rust is here to stay.” For the first time in 34 years, C has competition in the Linux kernel. Consensus was unanimous—zero pushback from assembled maintainers.
Android 16 Proves Production Readiness at Scale
The “experimental” tag was already misleading. Android 16 ships Rust kernel code in production right now—specifically the ashmem memory allocator. Millions of devices worldwide are running Rust-based kernel components. Google didn’t prototype or test—they deployed to their entire ecosystem. That’s the validation that convinced kernel maintainers to drop the experimental label.
Miguel Ojeda, who leads the Rust for Linux project, was conservative about requesting permanent status. But Android 16 changed the calculus: “With Android shipping Rust code, the time has come.” When Google trusts Rust for Android’s kernel—powering billions of devices—everyone else can too. The Tokyo summit formalized what production deployments already proved.
Memory Safety Solves a 30-Year Crisis
Linux isn’t adopting Rust for novelty. The kernel has a severe memory safety problem. In 2024 alone, Linux had 3,931 security vulnerabilities—averaging 223 CVEs per year over the last decade. More than half are memory-related: use-after-free, buffer overflows, null pointer dereferences. Research shows 78% of memory corruption exploits stem from buffer and integer overflows.
Greg Kroah-Hartman, Linux’s second-in-command and stable maintainer, has seen every kernel CVE for the past 15 years. His assessment is blunt: “The majority of bugs we have are due to the stupid little corner cases in C that are totally gone in Rust. Things like simple overwrites of memory, error path cleanups, forgetting to check error values, and use-after-free mistakes.”
Kroah-Hartman made a compelling case for writing new kernel code in Rust. His data: Rust drivers are proving safer than those written in C. Issues with Rust-C interop turned out to be fewer than expected. Rust mitigates 15.9% of historical vulnerabilities—not perfect, but significant. More importantly, eliminating entire classes of memory bugs frees developers to focus on real issues: logic errors, race conditions, and architectural problems.
“Why wouldn’t we do this?” Kroah-Hartman asked. When the person who reviews every kernel security fix says Rust reduces the bug surface, the argument is over.
Linus Doesn’t Negotiate
Rust adoption isn’t optional anymore. Linus Torvalds reportedly said in private that he would merge Rust code over maintainer objections. Christoph Hellwig, a vocal Rust opponent, confirmed: “As of now, as a Linux developer or maintainer you must deal with Rust if you want to or not.”
Hellwig’s resistance was fierce. He called maintaining a multi-language codebase “cancer,” arguing it created fragmentation and burdened maintainers. The result? Hellwig stepped down as maintainer of the DMA mapping subsystem. Hector Martin, then project lead of Asahi Linux, also quit as a maintainer amid Rust tensions. Both learned the same lesson: Linus doesn’t negotiate on strategic decisions.
The Tokyo summit outcome validated Torvalds’ stance. Zero pushback means opposition collapsed. Rust is permanent, and kernel developers either adapt or step aside.
DRM Will Require Rust in One Year
The shift is accelerating faster than expected. Dave Airlie, maintainer of the DRM subsystem (Direct Rendering Manager for Linux graphics), announced at the summit that DRM is approximately one year away from requiring Rust and prohibiting C for new drivers. That’s not “encouraging” Rust adoption—that’s mandating it and banning the alternative.
DRM sets the precedent other subsystems will follow. The amount of Rust code in the kernel exploded over the last year, growing five-fold. Linux 6.13 introduces changes enabling “way more” Rust-based drivers. The Nova driver for NVIDIA GPUs has pieces already merged. The Android binder driver merged for Linux 6.18. Greg Kroah-Hartman sees a “tipping point” for upstream Rust drivers.
When a major subsystem like DRM mandates Rust within a year, the transformation timeline compresses dramatically. Rust went from experimental to required in three years. That’s infrastructure-level adoption velocity.
C Isn’t Dead, But Its Dominance Is Over
C has 35.1 million lines of code in the Linux kernel. That’s not going anywhere. Rewriting the entire kernel in Rust would be impractical and unnecessary. Rust complements C rather than replacing it.
The strategy is clear: new subsystems and drivers get written in Rust. Existing C code remains C unless there’s a compelling reason to rewrite. Rust-C interoperability through FFI bindings enables gradual adoption. Over the next decade, the kernel will become a patchwork of C (legacy, stable components) and Rust (new, safety-critical code).
But make no mistake—C’s 34-year monopoly ended last week in Tokyo. Future kernel contributors need dual-language expertise. Writing new drivers in C will become the exception, not the norm. Generational shift is underway.
Enterprise and Safety-Critical Industries Are All-In
It’s not just Linux. The Safety-Critical Rust Consortium, founded in June 2024 by the Rust Foundation, grew substantially in 2025. Its 30-40 member organizations include Toyota, Arm, STMicroelectronics, AdaCore, and Ferrous Systems. These aren’t hobbyists—these are companies building automotive, aerospace, and medical systems where bugs kill people.
The consortium is developing coding guidelines aligned with MISRA safety standards and qualified toolchains. Ferrocene became the first open-source Rust compiler qualified for ISO 26262 ASIL-D (automotive) and IEC 61508 SIL4 (industrial) applications. STMicroelectronics and HighTec delivered a Rust compiler qualified to ISO 26262 ASIL D paired with STM Stellar microcontrollers.
Enterprise adoption extends beyond safety-critical domains. Microsoft is experimenting with Rust in low-level Windows components. Meta designated Rust a formally supported server-side language. AWS built Firecracker—its ultra-light microVM technology—entirely in Rust. When industries with strict liability and regulatory requirements choose Rust over C, the market has rendered its verdict.
Key Takeaways
The Linux kernel’s decision to make Rust permanent isn’t hype—it’s infrastructure reality. After three years of evaluation, Android 16’s production deployment, and unanimous consensus from kernel maintainers, Rust earned its place. Memory safety addresses a 30-year problem C fundamentally cannot solve. Linus Torvalds’ top-down mandate removes all ambiguity: Rust is non-negotiable for the kernel’s future.
DRM requiring Rust within a year signals how fast adoption will accelerate. C remains essential for 35 million lines of existing code, but new development shifts to Rust. The Safety-Critical Rust Consortium’s enterprise traction—automotive, aerospace, medical—validates Rust beyond Linux. When Toyota and STMicroelectronics bet on Rust for systems where failures cost lives, skepticism evaporates.
For kernel developers, the career implications are clear: learn Rust or fall behind. For the industry, the message is equally direct: memory-safe systems programming is no longer experimental. The experiment succeeded. Rust is permanent.
