From the response:<p><i>Much of the criticism of C++ is based on code that is written in older styles, or even in C, that do not use the modern facilities aimed to increase type-and-resource safety. Also, the C++ eco system offers a large number of static analysis tools, memory use analysers, test frameworks and other sanity tools.</i><p>I often hear comments like this from proponents of modern C++, comments that imply that anachronistic C++ is to blame for CVEs written in it. However, it can be tricky even in "modern" C++ to avoid causing use-after-free errors and memory corruption. First example is this post, discussing something that was assumed to be a GCC bug that actually just shows how unintuitive lambdas and coroutines can be when mixed together:<p><a href="https://news.ycombinator.com/item?id=33084431">https://news.ycombinator.com/item?id=33084431</a><p>And these are two memory safety errors (in Chromium and Edge, respectively) that are written in what looks to be modern C++:<p><a href="https://bugs.chromium.org/p/chromium/issues/detail?id=1027152" rel="nofollow noreferrer">https://bugs.chromium.org/p/chromium/issues/detail?id=102715...</a><p><a href="https://microsoftedge.github.io/edgevr/posts/memory-corruption-vulnerabilities-in-edge/" rel="nofollow noreferrer">https://microsoftedge.github.io/edgevr/posts/memory-corrupti...</a>
For context, this is what they're replying to: <a href="https://www.federalregister.gov/documents/2023/08/10/2023-17239/request-for-information-on-open-source-software-security-areas-of-long-term-focus-and-prioritization" rel="nofollow noreferrer">https://www.federalregister.gov/documents/2023/08/10/2023-17...</a>