C# 16 Redesigns `unsafe` Into a Reviewable Contract, Borrowing from Rust

Microsoft is reworking C#‘s unsafe keyword from a syntactic marker for pointer features into a propagation-oriented safety contract, closer to how Rust and Swift treat it. Any operation the compiler cannot prove safe must sit inside an inner unsafe { } block, and obligations bubble up through method signatures until a boundary method explicitly discharges them — through runtime guards, static reasoning, or documented upstream invariants. A new /// <safety> doc block formalizes the callee-caller contract, and analyzers can flag its absence. The redesign also covers previously convention-only APIs like System.Runtime.CompilerServices.Unsafe and Marshal, which will now be marked unsafe in the runtime libraries.

The model ships as a preview in .NET 11 and production in .NET 12, nominally as a C# 16 feature. It will be opt-in initially, following the rollout pattern of nullable reference types, with templates eventually flipping it on by default. The type-level unsafe modifier is being removed in favor of narrower per-member scoping, and unsafe delegates are disallowed.

Microsoft frames this as a response to mounting industry and government pressure on memory safety, amplified by AI-generated code outpacing human review. The compiler enforcement is not the safety itself — it is scaffolding that forces developers to make safety reasoning visible, scoped, and auditable across the call graph, so supply-chain and engineering standards can be enforced mechanically rather than by convention.