Rust 1.94.1 Released: Security Patch and Regression Fixes

Introduction

The Rust team has announced the release of Rust 1.94.1, a point release for the stable channel. This update addresses three regressions introduced in the previous version (1.94.0) and resolves two security vulnerabilities in a core dependency. Rust continues to empower developers to build reliable and efficient software, and this release ensures stability for all users.

Getting Rust 1.94.1

If you already have Rust installed via rustup, upgrading to the latest stable release is straightforward. Simply run:

rustup update stable

For those who haven't installed Rust yet, visit the official Install Rust page to get started with rustup. The installer will fetch the latest version automatically.

Key Changes in Rust 1.94.1

This minor release focuses on fixing issues that were inadvertently introduced in Rust 1.94.0. Below is a detailed breakdown of every change, including regressions and security patches.

Fixing Regressions from 1.94.0

Rust 1.94.1 corrects four regressions that affected specific platforms, tooling, or APIs:

• Fix std::thread::spawn on wasm32-wasip1-threads – The previous release broke thread spawning on this WebAssembly target, which is used for threaded Wasm modules. The fix restores the ability to create threads in Wasm environments that support the threads proposal.
• Revert new methods on std::os::windows::fs::OpenOptionsExt – Rust 1.94.0 added unstable methods to this Windows-specific trait. However, because the trait is not sealed, adding non-default methods could break existing implementations. The team reverted the additions to maintain backward compatibility. The methods will be reconsidered for a future release through a proper stabilization process.
• Clippy: fix ICE in match_same_arms – An internal compiler error (ICE) in the Clippy linter was triggered when analyzing certain match statements with identical arms. This fix prevents the crash and ensures smooth linting.
• Cargo: downgrade curl-sys to version 0.4.83 – An update of curl-sys in Rust 1.94.0 caused certificate validation failures on some versions of FreeBSD. By reverting to the previous version, developers on FreeBSD can once again use Cargo without SSL errors. See the GitHub issue for more details.

Security Fixes

Rust 1.94.1 includes a security patch for the tar crate, which is used by Cargo when handling crate archives:

• Cargo: Update tar to version 0.4.45 – This update addresses two vulnerabilities: CVE-2026-33055 and CVE-2026-33056. These CVEs could potentially be exploited by maliciously crafted tar files. Note that users of crates.io are not affected because the registry performs its own validation. However, local tar handling in Cargo is now hardened. For full details, refer to the official blog post.

Acknowledgments

This release was made possible by the collective efforts of the Rust community, including contributors who identified and fixed these issues, as well as the release team that coordinated the rollout. The Rust project sincerely thanks everyone involved for their dedication to improving the language and ecosystem.

To stay up-to-date with future releases, follow The Rust Blog or subscribe to the official announcements. Happy coding!