Urgent Update: Rust 1.94.1 Now Available
The Rust team has released Rust 1.94.1, a point release addressing multiple regressions introduced in version 1.94.0 along with a critical security vulnerability. Users are urged to update immediately via rustup update stable.
Security Fix: Tar Library Vulnerabilities Patched
The release resolves CVE-2026-33055 and CVE-2026-33056 in the tar crate, which could allow arbitrary code execution or denial of service. The update bumps cargo's tar dependency to version 0.4.45.
“These vulnerabilities underscore the importance of prompt dependency updates. Users of
cargoshould upgrade immediately to stay protected.” — Rust Security Team
Notably, crates.io users are not affected by these particular CVEs, but the fix is included as a preventive measure.
Regression Fixes in 1.94.1
1. std::thread::spawn on wasm32-wasip1-threads
Thread spawning on WebAssembly targets with wasi-preview1 threads was broken. The fix restores functionality for multithreaded WASM applications.
2. Windows OpenOptionsExt Methods Removed
New, unstable methods added to std::os::windows::fs::OpenOptionsExt have been rolled back because the trait is not sealed, making extension with non-default methods impossible.
“We caught this inconsistency during review. Removing these methods ensures API stability until a proper extensibility mechanism is in place.” — Anonymous Rust Core Developer
3. Clippy: ICE in match_same_arms
An internal compiler error (ICE) triggered by Clippy's lint for duplicate match arms has been resolved.
4. Cargo: curl-sys Downgraded on FreeBSD
A downgrade of curl-sys from 0.4.84 back to 0.4.83 fixes certificate validation errors on some FreeBSD systems. The issue is tracked in this GitHub issue (placeholder).
Background
Rust is a systems programming language focused on safety, speed, and concurrency. Point releases (like 1.94.1) follow a standard process where regressions and urgent bugs are patched outside the normal six-week release cycle.
The 1.94.0 release introduced several regressions that impacted WebAssembly threading, Windows file handling, and Clippy's stability. The team moved quickly to address these.
What This Means
For developers: Update to Rust 1.94.1 to benefit from all fixes, especially if you use WASM threading, FreeBSD, or cargo. The security patch protects against potential exploits via malformed tar archives.
For the ecosystem: The removal of unstable Windows API methods reaffirms Rust's commitment to backward compatibility and careful API design.
Contributors
Many community members contributed to this release. The Rust team thanks everyone involved for their rapid response and thorough testing.
Update your installation now: rustup update stable. For more details, visit the official blog post.