The year 2025 stands as a definitive inflection point in the half-century trajectory of C. Following the formal publication of the C23 standard (ISO/IEC 9899:2024) on October 31, 2024, the ecosystem found itself navigating a complex trilemma: maintaining the unparalleled stability required by legacy infrastructure, integrating aggressive performance demands of modern silicon through new compiler vectorization capabilities, and confronting the existential threat posed by industry-wide memory safety mandates. GCC 15's April release made C23 the default dialect (and added #embed support), accelerating C23 adoption in production toolchains. Meanwhile, the Linux Kernel Maintainers Summit declared Rust "no longer experimental"—"here to stay" alongside C's ~34 million lines of kernel code.

The TIOBE Index shows C at #2 with a 10.99% rating and +2.13% year-over-year change (Jan 2026 table), one of the biggest jumps among top languages. Stack Overflow's 2025 survey shows 19.1% of professional developers using C, 22% of all respondents, and 48% of learners—ranking it fourth among those learning to code. The embedded systems market remains C's stronghold, with industry surveys often citing a majority share for C in embedded projects. Yet CISA and NSA joint guidance urged prioritizing memory-safe languages for new development and treated C/C++ as typical non-MSLs—citing that 67% of zero-day vulnerabilities in 2021 were memory safety issues.

Actions for 2026: Install your distro's patched glibc for CVE-2025-4802 (upstream fixed after 2.38; most distros backport). Enable C23 mode (-std=c23) in your build systems. Integrate AddressSanitizer and OSS-Fuzz into CI pipelines. Evaluate MISRA C:2025 guidelines for safety-critical projects. Monitor the C2Y standard work for defer keyword developments.

January 1 — An Oracle engineer posted patches to add an ALGOL 68 front-end to GCC, signaling a broadening GNU toolchain ecosystem with the surprising revival of a 50-year-old language.

January — The TIOBE Index for January 2025 placed C at rank #4, reflecting a dip behind Python, Java, and C++.

January 22 — CVE-2025-0395 disclosed a buffer overflow in glibc's assert() function (CVSS 7.5 via NVD / CISA-ADP, availability impact), affecting versions 2.13 through 2.40—a bug introduced in 2011 and discovered by Qualys, which characterized it as relatively minor.

January 30 — GNU C Library 2.41 shipped with ISO C23 and POSIX.1-2024 support, introducing new math functions (acospi, sinpi), a _ISOC2Y_SOURCE test macro for draft C2Y features, and AArch64 Guarded Control Stack support for enhanced security.

January — The ISO WG14 committee began organizing the C2y workload, with the TrapC proposal—a memory-safe fork of C designed to eliminate Undefined Behavior—circulating in technical circles.

February 5 — curl 8.12.0 addressed CVE-2025-0167 (CVSS 3.4 per NVD), a credential leak where .netrc passwords could be sent to the wrong host during HTTP redirects.

February 13 — CVE-2025-26519 published for musl libc (CVSS 7.0 per NVD), an out-of-bounds write in iconv's EUC-KR to UTF-8 conversion that can cause memory corruption and potentially code execution, fixed in musl 1.2.6.

February 24-28 — The ISO WG14 meeting in Graz, Austria set the post-C23 technical direction, reviewing the "Slay Some Earthly Demons" papers (N3244, N3409, N3410) on effective types and object provenance, while the TrapC proposal (N3423) faced significant skepticism regarding union removal.

February — GNU Binutils 2.44 officially deprecated the old GNU Gold linker, marking a shift toward LLVM LLD or the traditional BFD linker.

February — glibc 2.41 was found to break certain applications (Steam games, Discord, MATLAB) due to a symbol collision issue; maintainers merged a workaround to restore compatibility.

March 11 — LLVM 20.1.0 released with full assembly support for Armv9.6-A architecture, beta SVE2.1 support, and the renaming of flang-new to flang, signaling LLVM's Fortran frontend reached production maturity.

March 27 — CMake 4.0 shipped, dropping compatibility with versions below 3.5.

March — The TIOBE index recorded C slipping to 4th place—its lowest rank since at least 2001—behind Python, Java, and C++, stirring discussion on C's future.

March — VS Code C/C++ extension achieved 3.4x faster startup and 4x faster colorization.

March 24 — Linux 6.14 released, continuing the trend of more Rust components alongside C.

April 8 — OpenSSL 3.5.0 launched as the new Long Term Support release.

April 23 — GitHub Copilot added C/C++ code review support.

April 25 — GCC 15.1 released, updating the default C language standard from gnu17 to gnu23—the first default change in years. The release included experimental C2y feature support (generic selection expressions N3260, named loops N3355), significant OpenMP improvements for GPU offloading, a new COBOL front-end, and improved experimental Rust front-end (gccrs). Red Hat documented the #embed directive implementation.

April 28 — The Open Source Security Foundation released "The Memory Safety Continuum", treating memory safety as a spectrum rather than binary state.

April 25 — Valgrind 3.25.0 added initial RISC-V 64-bit Linux support.

May 16 — CVE-2025-4802 disclosed in glibc (CVSS 7.8), involving mishandling of LD_LIBRARY_PATH in setuid binaries. Affecting versions 2.27-2.38, it allowed loading malicious libraries in statically compiled setuid programs.

May 19 — GitHub Copilot Coding Agent launched for fully autonomous operation using GitHub Actions.

May 20 — CVE-2025-37899 disclosed in Linux kernel's ksmbd SMB server—a use-after-free identified by a researcher using OpenAI's o3 model in the SMB logoff path, per Sean Heelan's writeup (Heelan frames it as remote; NVD currently scores AV:L/PR:L).

May 29 — SQLite celebrated its 25th anniversary with version 3.50.0.

May — Red Hat detailed GCC 15 inclusion in Fedora 42, bringing C23 defaults to a wide user base.

May — Clang/LLVM neared full C23 support. According to cppreference's compiler support table, Clang 19+ supports #embed, constexpr, and most C23 features.

June 18 — RedMonk's Q1 2025 rankings placed C at 10th position, stable from previous years.

June 24 — CISA and NSA published joint guidance, urging organizations to prioritize memory-safe languages for new development and treating C/C++ as typical non-MSLs.

June — Reports surfaced of increasing friction between long-time kernel maintainers and Rust contributors, with a maintainer reportedly likening the C/Rust maintenance burden to "cancer". Industry experts noted that "C still dominates the embedded world".

June — The MISRA consortium announced work on updated guidelines (MISRA C:202X) to cover C11 and C23 features including _Atomic and bounds-checked functions.

July 23 — CVE-2025-8058 disclosed a double-free vulnerability in glibc's regcomp function (CVSS 5.9 v4, CNA score; Gentoo rated High), affecting versions 2.4-2.41.

July 28 — GNU C Library 2.42 shipped with security fixes for earlier CVEs and C23 alignment, alongside steady performance work. Larger math routine gains (including 4× and 12.9× improvements) were reported as part of upcoming glibc 2.43 work rather than the 2.42 release.

July — VS Code C/C++ extension added support for C23 keywords true and false (N2935) in IntelliSense.

August 26 — LLVM 21.1 released with enhanced RISC-V support including Qualcomm's Xqci custom extensions.

August — GCC 15.2 arrived as a bug-fix release with 123+ bug fixes, with developers debating dropping Itanium (IA-64) support due to lack of users and maintainers.

August — GitHub's Octoverse report said TypeScript overtook both Python and JavaScript in August 2025 to become the most used language on GitHub by contributor counts, and that nearly 80% of new repositories used six languages: Python, JavaScript, TypeScript, Java, C++, and C#.

September 15-19 — CppCon 2025 took place in Aurora, Colorado, featuring sessions on low-latency systems and concurrency proposals.

September 17 — Gentoo's security advisory detailed fixes for CVE-2025-4802 and CVE-2025-8058, urging all users to upgrade glibc.

September 29 — The Safe C++ proposal abandoned in favor of incremental "profiles," with Bjarne Stroustrup's approach winning out—a potential model for C's future.

September 30 — OpenSSL disclosed three vulnerabilities: CVE-2025-9230 (CVSS 7.5, out-of-bounds read/write in CMS decryption), CVE-2025-9231 (timing side-channel in SM2 signature), CVE-2025-9232 (DoS). Updates released for versions 3.5.4, 3.4.3, 3.3.5. AISLE discovered three of the four OpenSSL vulnerabilities of 2025.

September — CVE-2025-39869 published affecting the Linux TI EDMA driver, a classic C error with sizeof(s8) and pointer mismatch causing memory corruption on ARM platforms.

October 1 — OpenSSL 3.6.0 released, requiring C99 compilers—ANSI C no longer sufficient.

October — The TIOBE Index showed C climbing back to #2 (around 11% rating) behind only Python. C gained +2.13% popularity in 2025, one of the biggest jumps among top languages.

October — The WG14 document log recorded numerous submissions for C2y including "Range bounds for math functions" (N3731) and "Integer Sets" (N3727).

October — VS Code C/C++ extension v1.28.3 added full IntelliSense support for C23 bool.

October — vcpkg reached 2,691+ ports with new tvOS, watchOS, NetBSD, and Visual Studio 2026 support.

November 11 — Visual Studio 2026 became generally available, marketed as the "first Intelligent Developer Environment" with deep GitHub Copilot integration for C/C++, MSVC v14.50 toolchain, NuGet MCP server integration, and "dramatically improved" solution load times.

November — SQLite 3.51.0 added 64-bit WebAssembly support and improved corruption resistance.

November — curl had its most productive year ever, shipping 8 releases, 3,400+ commits (40% more than any previous year), with curl 8.17.0 containing ~450 bugfixes. Nine CVEs published, all low or medium severity.

November — CVE-2025-8941 disclosed race conditions in linux-pam's pam_namespace module enabling local privilege escalation.

November — Conan package manager released version 2.24.0 supporting Visual Studio 2026 and adding an MCP Server for AI integration.

November — Stack Overflow's 2025 Developer Survey reported 19.1% of professional developers using C, 22% of all respondents, and 48% of learners using C (ranking 4th among those learning to code), with C ranking high on both "most dreaded" and "most loved" lists.

November — Zephyr RTOS reached 4.3.0 with secure storage subsystem and 60+ new board support packages.

December 15 — Dave Airlie, the DRM subsystem maintainer, announced plans to require Rust and disallow C for new DRM drivers within approximately one year.

December 16 — CVE-2025-68260 became the first CVE assigned to Rust code in the Linux kernel, affecting the Android Binder driver (rust_binder). For perspective, 159 CVEs were assigned to C code the same day.

December 11 — CVE-2025-13912 identified timing side-channel risks in wolfSSL binaries compiled with LLVM optimizations that can break constant-time guarantees. Trail of Bits proposed constant-time support for LLVM with __builtin_ct_select intrinsics, targeting an upcoming release.

December 20 — GDB 17.1 released with CET Shadow Stack support and Debug Adapter Protocol (DAP) completions.

December — The Linux Kernel Maintainers Summit in Tokyo concluded Rust is "no longer experimental"—"Rust is here to stay," as LWN reported. Maintainer Miguel Ojeda announced that after two years of trials, Rust had proven worth the trade-offs. Steven Rostedt said there was "zero pushback" from maintainers. Context: ~34 million lines of C code vs. 25,000 lines of Rust in the kernel. Android 16's Linux 6.12 kernel already ships production Rust code on millions of devices, including an ashmem allocator built in Rust per DevClass.

December — CLion 2025.3 released, making "Nova" engine the default with 4x faster code highlighting. JetBrains made CLion free for non-commercial use with CLion 2025.1.1. C23's constexpr moves computations to compile-time.

December — C++ code editing tools for GitHub Copilot entered public preview with multi-file refactoring capabilities and deep symbol awareness.

December — TIOBE Index solidified C at #2 with a 10.99% rating (Jan 2026 table). TIOBE CEO Paul Jansen attributed the rise to C23 adoption driving renewed interest.

December — The gccrs developers aim to compile the Linux kernel in Rust with GCC—if successful in 2026, C and Rust could mix seamlessly in the same toolchain.

2025's most consequential incidents were deep-logic flaws rather than trivial overflows. The standout example was CVE-2025-37899 in Linux ksmbd, found with OpenAI's o3 by Sean Heelan (Heelan frames it as remote; NVD currently scores AV:L/PR:L). Core infrastructure saw high-impact bugs too: glibc (CVE-2025-4802, CVE-2025-0395, CVE-2025-8058), OpenSSL (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232), and system plumbing like musl (CVE-2025-26519), curl (CVE-2025-0167), and linux-pam (CVE-2025-8941). Kernel and compiler edge cases added more uncertainty: CVE-2025-39869 (CVSS pending), CVE-2025-13912 (wolfSSL compiled with LLVM), and the first Rust kernel CVE (CVE-2025-68260).

Mitigations pushed both runtime hardening and safer coding paths. The kernel continued ARM MTE and heap quarantine work, while library ecosystems kept patching actively; for example, libpng 1.6.51 fixed multiple security issues including CVE-2025-65018 (libpng 2025 news). Toolchain support also advanced: Trail of Bits proposed constant-time support for LLVM with __builtin_ct_select, and a 2025 Checked C experience paper on EDK II reported progress on spatial memory safety (doi:10.1145/3728929).

The GCC vs. Clang rivalry delivered tangible speedups. Phoronix benchmarks showed GCC 15 with a small edge in raw runtime performance and Clang 20 with faster compiles, while GCC's new "early break" loop vectorization unlocked SIMD gains in text-heavy workloads. On ARM, LLVM 20 added SVE2.1 support for scalable vectorization across server chips.

Library and runtime performance kept improving: glibc 2.42 shipped math and malloc tuning, and Phoronix reported upcoming glibc 2.43 work with 4× and 12.9× math gains tied to a new generic FMA implementation. The Language Benchmarks Game continued to show C trading the speed crown with C++ and Rust.

Adoption signals stayed strong even amid volatility: the TIOBE index had C at #2 (10.99%, +2.13 YoY), and the Stack Overflow 2025 survey showed 19.1% of professional developers and 48% of learners using C. Embedded remains the stronghold; the FOSDEM 2025 embedded track emphasized the economic cost of migrating certified C codebases in automotive and aerospace.

Major releases reinforced the ecosystem's breadth: SQLite 3.50.0/3.51.0, curl shipping eight releases, OpenSSL 3.5 LTS and 3.6, RTOS updates like FreeRTOS and Zephyr, and toolchain drops from GCC, LLVM, CMake, and Meson. MISRA also advanced with MISRA C:2025, adding 225 guidelines and clarifying AI-generated code treatment.

AI-enhanced tooling became normal: Visual Studio 2026 shipped deep Copilot integration, the VS Code C/C++ extension added Copilot Hover, and CLion 2025.3 moved to its Nova engine. Build and package tools kept pace via CMake 4.0, Meson 1.10.0, Conan 2.24.0, and vcpkg, while debugging stacks improved with GDB 17.1 and Valgrind 3.25.0.

Standards and governance stayed contentious. WG14's C2y work focused on correctness and cleanup via papers like "Slay Some Earthly Demons", with future meetings scheduled on the WG14 calendar and ongoing draft tracking in the C2Y projects list. At the same time, TrapC (N3423) triggered backlash (see Slashdot and Reddit), the Safe C++ proposal collapsed, and Rust-in-Linux friction (including Linus Torvalds' response) underscored the governance strain.

When: Approximately December 2026

Context: Dave Airlie, the DRM subsystem maintainer, announced plans to require Rust and disallow C for new DRM drivers within one year. This would mark the first major kernel subsystem to mandate a language other than C for new contributions. The kernel currently contains ~34 million lines of C vs. 25,000 lines of Rust.

Action: Track LKML discussions on DRM/Rust requirements. Evaluate your organization's kernel driver development strategy. If contributing to DRM subsystem, begin Rust training.

When: March-April 2026

Context: Expected to switch C++ default to C++20, mature the "experimental" C2y features introduced in GCC 15, and potentially include the ALGOL 68 front-end. The gccrs developers aim to compile the Linux kernel in Rust with GCC—if production-ready, C and Rust could mix seamlessly in the same toolchain.

Action: Test C2y features (defer, generic selection expressions, named loops) in development builds. Plan for gccrs maturity enabling mixed C/Rust projects without LLVM dependency.

When: September 2026

Context: OpenSSL 3.0 goes EOL, and OpenSSL 4.0 targets April 2026. Projects must migrate to OpenSSL 3.5 LTS or later, as intermediate 3.x releases (3.1–3.3) will already be end-of-life by the time 3.0 expires. OpenSSL 3.6.0 now requires C99 compilers—ANSI C is no longer sufficient.

Action: Audit all deployments using OpenSSL 3.0.x. Schedule migration to OpenSSL 3.5 LTS or later. Verify your build toolchain supports C99 minimum.

When: April 2026

Context: The London meeting will likely be a full committee meeting where proposals for C2y are officially adopted or rejected. TrapC expected to either be killed or moved to Technical Specification track. The defer keyword has GCC patches already—likely to be decided here.

Action: Monitor WG14 document log for adopted proposals. If maintaining C libraries, assess impact of potential defer keyword, bounds-checked pointer proposals, or K&R function definition deprecation.

When: Throughout 2026

Context: With the gap between C (#2, 10.99%) and Java (#3) narrowing, and C#'s rapid ascent, 2026 might see C drop out of top 2 for the first time in decades. The March 2025 dip to #4 showed this volatility is possible.

Action: Use rankings for stakeholder communication, not technical decisions. C's embedded dominance (60%+ market share) and kernel criticality remain unchanged regardless of survey fluctuations.

When: February 2026

Context: Roadmap includes overhaul of time locale API (year-2038 issues on 32-bit systems) and possibly enabling C2y features under _ISOC2Y_SOURCE as the draft firms up.

Action: Test 32-bit systems against time-related functionality. Prepare for potential API changes affecting embedded or legacy deployments.

When: Throughout 2026

Context: Despite Visual Studio 2026, Microsoft has published no official C23 roadmap. Key features like _BitInt, nullptr, #embed remain unavailable. Only partial support exists through /std:clatest. Many note MSVC still doesn't fully support C99.

Action: For cross-platform C projects, maintain GCC/Clang as primary compilers. Use MSVC conditional compilation for Windows-specific paths. Monitor /std:clatest improvements.

When: March (Embedded World), September (CppCon)

Context: Embedded World will showcase ongoing C vs. Rust narrative in embedded—expect more vendors with Rust offerings but also new MISRA C:2025 guideline tooling. CppCon often covers cross-cutting topics affecting C including safety profiles that could model C's future.

Action: Watch for MISRA C:2025-compliant static analysis tool announcements. Track safety profile discussions that may influence C2y direction.

When: Throughout 2026

Context: CVE-2025-37899's discovery using OpenAI o3 showed AI-assisted analysis can find complex concurrency bugs in kernel C code. A DARPA program ("Hardening Legacy C Systems") is set to release results in 2026, potentially including tools to retrofit memory safety on C binaries.

Action: Integrate AI-assisted fuzzing (AuditAI, enhanced OSS-Fuzz) into CI pipelines. Monitor DARPA results for practical LLVM passes or binary rewriters adding bounds checks to existing C apps.

When: 2026

Context: musl 2.0 will incorporate all C23 library additions—important for containerized environments using lightweight libc (Alpine Linux base images).

Action: Test C23 feature usage against musl 2.0 pre-releases. Verify container-based CI/CD pipelines remain compatible.