Bjarne Stroustrup, the creator of C++, has issued a call to action to the developer community, urging them to defend the programming language against mounting criticism from cybersecurity experts. In recent years, C++ has come under increasing scrutiny, primarily due to concerns over memory safety—an issue that has led to its exclusion from recommended languages for government and enterprise projects.
C and C++ rely on manual memory management, making them vulnerable to issues such as buffer overflows and memory leaks—flaws that account for a significant portion of security vulnerabilities in large-scale codebases. As a result, major organizations worldwide are shifting towards languages with stronger memory safety features, such as Rust, Go, Java, Swift, and Python.
In response, the C/C++ community has launched a series of initiatives aimed at enhancing security, including projects like TrapC, FilC, Mini-C, and Safe C++. However, Stroustrup believes that the challenge lies not only in slow progress but also in the absence of a compelling public narrative capable of countering Rust’s rising popularity. In his address to the C++ Standards Committee (WG21), he urged swift action, advocating for the adoption of the Profiles framework to strengthen security measures.
Stroustrup emphasizes that memory safety has always been a core priority for C++, cautioning against interpreting his measured tone as indifference. He reminded the community that he had previously warned of C++’s potential fragmentation due to chaotic, unstructured changes to the language.
One of the most pressing concerns is the directive issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which mandates that by 2026, software vendors must either eliminate all memory-related vulnerabilities or transition entirely to memory-safe languages. Stroustrup views this as a serious existential threat to the future of C++.
Developers working with C++ are being presented with various solutions, though none have yet emerged as an industry standard. For instance, TrapC proposes the use of “safe pointers” to prevent out-of-bounds memory access and segmentation faults. However, such approaches require substantial modifications to existing codebases and cannot be implemented overnight.
Opinions on C++’s future remain divided. Some experts, such as David Chisnall from the University of Cambridge, argue that a full-scale replacement of C++ is impractical, given the vast volume of legacy code written in the language. Instead, he advocates for an evolutionary approach, gradually modernizing C++ with enhanced security mechanisms.
Meanwhile, Google and other tech giants are aggressively promoting the adoption of memory-safe languages, further intensifying pressure on the C++ community. The pivotal question remains: can C++ evolve quickly enough to meet the demands of the cybersecurity landscape before 2026, or is the legendary language doomed to fade into oblivion?
