Rust 1.94.1 Released: Security Patch and Regression Fixes
Introduction
The Rust team has announced the release of Rust 1.94.1, a point release for the stable channel. This update addresses three regressions introduced in the previous version (1.94.0) and resolves two security vulnerabilities in a core dependency. Rust continues to empower developers to build reliable and efficient software, and this release ensures stability for all users.
Getting Rust 1.94.1
If you already have Rust installed via rustup, upgrading to the latest stable release is straightforward. Simply run:
rustup update stableFor those who haven't installed Rust yet, visit the official Install Rust page to get started with rustup. The installer will fetch the latest version automatically.
Key Changes in Rust 1.94.1
This minor release focuses on fixing issues that were inadvertently introduced in Rust 1.94.0. Below is a detailed breakdown of every change, including regressions and security patches.
Fixing Regressions from 1.94.0
Rust 1.94.1 corrects four regressions that affected specific platforms, tooling, or APIs:
-
Fix
std::thread::spawnonwasm32-wasip1-threads– The previous release broke thread spawning on this WebAssembly target, which is used for threaded Wasm modules. The fix restores the ability to create threads in Wasm environments that support the threads proposal. -
Revert new methods on
std::os::windows::fs::OpenOptionsExt– Rust 1.94.0 added unstable methods to this Windows-specific trait. However, because the trait is not sealed, adding non-default methods could break existing implementations. The team reverted the additions to maintain backward compatibility. The methods will be reconsidered for a future release through a proper stabilization process. -
Clippy: fix ICE in
match_same_arms– An internal compiler error (ICE) in the Clippy linter was triggered when analyzing certain match statements with identical arms. This fix prevents the crash and ensures smooth linting. -
Cargo: downgrade
curl-systo version 0.4.83 – An update ofcurl-sysin Rust 1.94.0 caused certificate validation failures on some versions of FreeBSD. By reverting to the previous version, developers on FreeBSD can once again use Cargo without SSL errors. See the GitHub issue for more details.
Security Fixes
Rust 1.94.1 includes a security patch for the tar crate, which is used by Cargo when handling crate archives:
-
Cargo: Update
tarto version 0.4.45 – This update addresses two vulnerabilities: CVE-2026-33055 and CVE-2026-33056. These CVEs could potentially be exploited by maliciously crafted tar files. Note that users ofcrates.ioare not affected because the registry performs its own validation. However, local tar handling in Cargo is now hardened. For full details, refer to the official blog post.
Acknowledgments
This release was made possible by the collective efforts of the Rust community, including contributors who identified and fixed these issues, as well as the release team that coordinated the rollout. The Rust project sincerely thanks everyone involved for their dedication to improving the language and ecosystem.
To stay up-to-date with future releases, follow The Rust Blog or subscribe to the official announcements. Happy coding!
Related Articles
- Modeling Complex Systems with HASH: A Free Simulation Platform
- Why AI Might Not Accelerate Your Workflows as Expected
- Campervanning Survival Game Shifts Launch to Avoid Subnautica 2’s Early Access Shadow
- 6 Critical Facts About the American Exposure to Ebola in the Congo
- How to Design Status Updates That Build Trust During AI Thinking Time
- IRS Opens Tax Filing Season: Expert Tips to Speed Up Your Refund
- What You Need to Know About Why a recent supply-chain attack singled out secu...
- How to Modernize IT Infrastructure for AI Without Crashing Into Technical Debt