[steveklabnik]

> i always ask why are there any CVEs for rust if its "memory-safe" but never get an answer suprisingly

The answer is straightforward: bugs exist. Even in formally proven software, mistakes can be made. Nothing is perfect.

Additionally, memory safety is a property that when people talk about it, they mean by default. All languages contain some amount of non-proven unsafe code in their implementation, or via features like FFI. Issues can arise when these two worlds interact. Yet, real-world usage shows that these cases are quite few compared to languages without these defaults. The exceptions are also a source of the CVEs you’re talking about.