Rust 1.94.1 Ships Critical Security Fixes and Regression Patches
Urgent Update: Rust 1.94.1 Now Available
The Rust team has released Rust 1.94.1, a point release addressing multiple regressions introduced in version 1.94.0 along with a critical security vulnerability. Users are urged to update immediately via rustup update stable.
Security Fix: Tar Library Vulnerabilities Patched
The release resolves CVE-2026-33055 and CVE-2026-33056 in the tar crate, which could allow arbitrary code execution or denial of service. The update bumps cargo's tar dependency to version 0.4.45.
“These vulnerabilities underscore the importance of prompt dependency updates. Users of
cargoshould upgrade immediately to stay protected.” — Rust Security Team
Notably, crates.io users are not affected by these particular CVEs, but the fix is included as a preventive measure.
Regression Fixes in 1.94.1
1. std::thread::spawn on wasm32-wasip1-threads
Thread spawning on WebAssembly targets with wasi-preview1 threads was broken. The fix restores functionality for multithreaded WASM applications.
2. Windows OpenOptionsExt Methods Removed
New, unstable methods added to std::os::windows::fs::OpenOptionsExt have been rolled back because the trait is not sealed, making extension with non-default methods impossible.
“We caught this inconsistency during review. Removing these methods ensures API stability until a proper extensibility mechanism is in place.” — Anonymous Rust Core Developer
3. Clippy: ICE in match_same_arms
An internal compiler error (ICE) triggered by Clippy's lint for duplicate match arms has been resolved.
4. Cargo: curl-sys Downgraded on FreeBSD
A downgrade of curl-sys from 0.4.84 back to 0.4.83 fixes certificate validation errors on some FreeBSD systems. The issue is tracked in this GitHub issue (placeholder).
Background
Rust is a systems programming language focused on safety, speed, and concurrency. Point releases (like 1.94.1) follow a standard process where regressions and urgent bugs are patched outside the normal six-week release cycle.
The 1.94.0 release introduced several regressions that impacted WebAssembly threading, Windows file handling, and Clippy's stability. The team moved quickly to address these.
What This Means
For developers: Update to Rust 1.94.1 to benefit from all fixes, especially if you use WASM threading, FreeBSD, or cargo. The security patch protects against potential exploits via malformed tar archives.
For the ecosystem: The removal of unstable Windows API methods reaffirms Rust's commitment to backward compatibility and careful API design.
Contributors
Many community members contributed to this release. The Rust team thanks everyone involved for their rapid response and thorough testing.
Update your installation now: rustup update stable. For more details, visit the official blog post.
Related Articles
- Kobo Unveils Collector Cases at BookCon 2026, Still No New E-Reader in Sight
- 7 Key Facts About the Splatoon Raiders Preorder Deal for Switch 2
- Wizards of the Coast Unveils Five Mono-Colored Commander Decks for Reality Fracture Launch
- Jeff Atwood Reflects on Loss, Gratitude, and the Critical Role of Community in AI
- Navigating the Proposed H-1B Salary Threshold Changes: A Practical Guide for Tech Employers and Workers
- How to Recognize Why Insurance Grounds the Flying Taxi Dream
- 10 Key Takeaways from ThoughtWorks' 34th Technology Radar
- GitHub Overhauls Status Page with New Severity Tiers and Per-Service Uptime Data