The Linux kernel has officially removed the strncpy API, marking the end of a six-year effort to eliminate a function widely regarded as a significant source of security vulnerabilities. Developers merged the final patches into the Linux 6.14-rc1 development cycle, effectively replacing the legacy string-copying function with safer, more modern alternatives across the entire kernel codebase.
Why was strncpy a security risk?
The strncpy function was designed to copy a string from a source to a destination buffer, but it possessed two behaviors that frequently led to kernel-level bugs. First, if the source string was shorter than the provided buffer size, strncpy would zero-fill the remainder of the destination, resulting in unnecessary performance overhead.
More critically, if the source string was longer than the buffer, the function would fail to null-terminate the destination string. This failure often led to "out-of-bounds" read vulnerabilities, where subsequent code would read past the allocated memory buffer. According to documentation from the Linux Kernel Archive, this ambiguity made the API a persistent vector for memory safety issues that could be exploited by attackers.
How did the kernel team replace it?
The transition away from strncpy involved over 360 individual commits, as reported by Phoronix. The process required developers to manually audit and refactor thousands of instances where the function was used.
Instead of strncpy, the kernel now utilizes safer interfaces such as:
strscpy: This function guarantees null-termination and provides a clear return value indicating whether the copy was truncated.strscpy_pad: A variant used when zero-padding is explicitly required for security or data integrity.
By moving to these APIs, the kernel ensures that strings are always properly terminated, preventing the memory access errors that plagued the older implementation.
What is the impact on kernel development?
This removal represents a broader shift toward "memory safety" within the Linux kernel, a priority championed by the Linux Kernel Security Team. While strncpy was a staple of C programming for decades, its removal demonstrates that the kernel community is willing to retire legacy standards in favor of primitives that prevent common classes of software vulnerabilities.

Key Takeaways
- Scope of change: The removal involved more than 360 patches submitted over a six-year period.
- Primary replacement:
strscpyis now the preferred standard for string copying, as it prevents non-terminated string buffers. - Security goal: The move eliminates a known source of out-of-bounds read vulnerabilities that have historically threatened system stability.
The completion of this project serves as a precedent for ongoing efforts to modernize the kernel. As the development cycle for Linux 6.14 continues, the removal of strncpy stands as a definitive step in reducing the kernel’s attack surface and enforcing stricter coding standards for future contributions.