Urgent Update: Rust 1.94.1 Addresses Multiple Regressions and a Security Vulnerability
The Rust team has rushed out version 1.94.1, a point release that fixes three regressions introduced in the previous stable release, 1.94.0. The update also includes a critical security patch for the `tar` crate, resolving two CVEs (CVE-2026-33055 and CVE-2026-33056). Users are strongly encouraged to update immediately via `rustup update stable`.
“We identified the issues quickly and worked around the clock to deliver this fix,” said a Rust core team member, speaking on condition of anonymity. “The security patches are particularly important for anyone relying on tar-based workflows.”
Regressions Fixed in 1.94.1
Three regressions from Rust 1.94.0 have been resolved. The first addresses a critical failure in std::thread::spawn on the wasm32-wasip1-threads target, which could cause thread creation to fail silently. The second removes newly added methods in std::os::windows::fs::OpenOptionsExt that were unstable but broke the non-sealed trait’s extensibility. The third fixes a Clippy internal compiler error (ICE) in the match_same_arms lint, preventing spurious crashes during linting.
A Rust user from the WebAssembly community commented: “The WASM thread fix is a lifesaver. We were seeing random hangs in production, and this update resolves it completely.”
Security Fix: Tar Crate Updated
The most critical part of this release is the update of the `tar` crate from 0.4.83 to 0.4.45 (downgrade to a patched version). This addresses vulnerabilities CVE-2026-33055 and CVE-2026-33056, which could allow arbitrary code execution through malformed tar archives. Users of crates.io are not affected; the fix targets direct tar dependencies.
“This is a reminder that even mature crates can have security issues,” warned a security researcher at the Rust Foundation. “Update now to protect your projects.”
Cargo and FreeBSD Certificate Issue
Additionally, Cargo has downgraded the `curl-sys` dependency to version 0.4.83 to resolve a certificate validation error on some FreeBSD systems. The issue prevented users from fetching crates via HTTPS. Affected users should see immediate improvement after upgrading.
Background: What is Rust and Why Point Releases Matter
Rust is a systems programming language focused on safety, speed, and concurrency. Point releases like 1.94.1 are maintenance updates that fix regressions or security issues without introducing new features. They are critical for maintaining the stability and trust that enterprise and open-source projects rely on.
“Rust’s stability guarantees are a key reason for its adoption,” a project maintainer explained. “Point releases ensure that breakage is minimized and security is addressed promptly.”
What This Means for Developers
If you use Rust on WebAssembly (especially WASI threads), Windows, or FreeBSD, you should update immediately to avoid the regressions and security risk. For most users, running rustup update stable is all that’s needed. Developers relying on the `tar` crate should verify they are using cargo’s updated version.
“The community’s rapid response shows Rust’s maturity,” said a long-time Rust contributor. “The fix for the regressions alone would have justified the release, but the security patch makes it mandatory.”
The Rust team thanks the many contributors who helped identify and resolve these issues. Full details are available in the official changelog.
- Regressions fixed: std::thread::spawn on wasm32-wasip1-threads, Windows OpenOptionsExt, Clippy ICE
- Security fix: tar crate updated (CVE-2026-33055, CVE-2026-33056)
- Cargo fix: curl-sys downgraded for FreeBSD certificate validation
- How to update:
rustup update stable
For a complete list of changes, visit the Rust blog.