Rust 1.94.1 Released: Patch Fixes Regressions and Security Vulnerabilities

Overview of the Latest Point Release

The Rust development team has shipped version 1.94.1, a maintenance update that addresses several regressions introduced in the previous 1.94.0 release. This patch also resolves two security issues and improves stability for specific platforms. Rust continues to empower developers worldwide to build reliable and efficient software, and this release ensures that experience remains smooth for all users.

How to Update to Rust 1.94.1

If you already have Rust installed via rustup, upgrading is straightforward. Simply run the following command in your terminal:

rustup update stable

For those new to Rust, you can install rustup from the official website, which will guide you through the setup process and automatically fetch the latest stable version.

Regression Fixes in 1.94.1

Version 1.94.0 contained three regressions that have been corrected. Below is a detailed look at each fix.

1. std::thread::spawn on wasm32-wasip1-threads

A regression prevented the use of std::thread::spawn on the wasm32-wasip1-threads target. This has been resolved, restoring threading capabilities for WebAssembly applications using this target.

2. Removal of New Methods from std::os::windows::fs::OpenOptionsExt

In the 1.94.0 release, new methods were added to the std::os::windows::fs::OpenOptionsExt trait. While these methods were unstable, the trait itself is not sealed, meaning that extending it with non-default methods is not permitted. The Rust team has removed these methods to maintain API stability and correctness. Developers relying on this trait should check their code for any impact.

3. Clippy: ICE in match_same_arms

An internal compiler error (ICE) occurring in the Clippy linter rule match_same_arms has been fixed. This eliminates the crash that some users experienced when Clippy analyzed match expressions with identical arms.

Security Updates

Two security vulnerabilities have been addressed in this release, both related to the Cargo tool.

Cargo: Downgrade curl-sys to 0.4.83

The curl-sys dependency was downgraded from its previously updated version to 0.4.83. This change fixes a certificate validation error that affected some users on certain versions of FreeBSD. For more details, see the related issue.

Cargo: Update tar to 0.4.45

The tar crate has been updated to version 0.4.45, which addresses two CVEs:

• CVE-2026-33055
• CVE-2026-33056

These vulnerabilities could potentially impact users of the Cargo package manager. However, users of crates.io are not affected by these issues. For a comprehensive explanation, refer to the official Rust blog.

Acknowledgments

The Rust community continues to play a vital role in the language's evolution. Many contributors collaborated to identify, fix, and test the changes in Rust 1.94.1. The project extends its gratitude to everyone who helped make this release possible.

What’s Next for Rust?

Rust 1.94.1 is a point release focused on stability. The team encourages all users to update to benefit from the fixes. For those curious about ongoing development, the official release notes provide a detailed changelog, and the Rust blog offers insights into future directions.