Linux Kernel Drops strncpy After Six-Year Effort

The Linux kernel has finally eliminated the strncpy API after six years of development and 360 patches. This change marks the culmination of a long-running effort to remove an interface known for its role in buffer overflow vulnerabilities. The transition, part of the Linux 7.2 cycle, signals a broader shift toward safer memory-handling practices in kernel code.

The removal of strncpy addresses a persistent source of security bugs, as the function's behavior—particularly its null-padding—was often misunderstood by developers. By replacing it with more explicit alternatives like strscpy, the kernel reduces the risk of silent data truncation and off-by-one errors. This change aligns with the wider industry movement toward memory-safe programming languages and APIs.

Over 360 patches were required to update all in-kernel users of strncpy, reflecting the scale of the migration. Each patch had to be carefully reviewed to ensure no accidental introduction of new bugs. The effort underscores the kernel community's commitment to incremental, rigorous codebase improvement.

For downstream distributions and embedded systems maintainers, this removal may require updating out-of-tree drivers or custom modules still relying on the old API. However, the long deprecation period gave most developers ample time to adapt. The change is expected to reduce the attack surface for memory corruption exploits.

Some developers have argued that the migration could have been completed faster with a more aggressive timeline. Nonetheless, the careful approach likely prevented regressions.