Rust 1.94.1 Emergency Release Patches Critical Regressions and Security Flaws

<h2>Rust 1.94.1 Now Available to Fix Regressions and Security Vulnerabilities</h2> <p>The Rust team has urgently shipped version 1.94.1, a point release that resolves three regressions introduced in the 1.94.0 stable update. The new version also addresses two high-severity security flaws, identified as CVE-2026-33055 and CVE-2026-33056, related to a vulnerable dependency in Cargo.</p><figure style="margin:20px 0"><img src="https://www.rust-lang.org/static/images/rust-social-wide.jpg" alt="Rust 1.94.1 Emergency Release Patches Critical Regressions and Security Flaws" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.rust-lang.org</figcaption></figure> <p>Users running Rust on stable channel can update immediately by executing <code>rustup update stable</code>. The fix is available for all platforms supported by Rust.</p> <h2>Key Fixes in 1.94.1</h2> <p>The release targets three regressions that affected specific configurations. First, <code>std::thread::spawn</code> now works correctly on the <code>wasm32-wasip1-threads</code> target. Second, newly added but unstable methods in <code>std::os::windows::fs::OpenOptionsExt</code> have been removed because the trait is not sealed and cannot be safely extended. Third, Clippy no longer triggers an internal compiler error (ICE) in the <code>match_same_arms</code> lint.</p> <p>Additionally, Cargo has been updated to downgrade the <code>curl-sys</code> dependency from 0.4.84 to 0.4.83, which fixes certificate validation errors on certain versions of FreeBSD. The security patch upgrades <code>tar</code> from 0.4.44 to 0.4.45, closing two vulnerabilities that could lead to arbitrary file writes. The Rust team confirmed that crates.io users are not affected by these CVEs.</p> <blockquote> <p>“This release is a direct response to community reports about regressions and a security audit that uncovered the tar dependency issues. We recommend all users update as soon as possible to maintain system integrity,” said a Rust core team member.</p> </blockquote> <h2 id="background">Background</h2> <p>The previous stable release, Rust 1.94.0, introduced several regressions that impacted web assembly threading, Windows API stability, and Clippy reliability. The security vulnerabilities in the <code>tar</code> crate were discovered during routine maintenance and prompted an expedited point release.</p> <p>Rust 1.94.1 was compiled with contributions from dozens of community members and the core team. The release process follows Rust's standard point-release policy where critical fixes are backported without waiting for the next major version.</p> <h2 id="what-this-means">What This Means</h2> <p>For developers, this release restores stability for WebAssembly multithreading and eliminates a potential crash in Clippy analysis. The removal of unstable Windows methods prevents accidental exposure of experimental APIs. The security fixes ensure that Cargo’s archive extraction does not lead to path traversal or symlink attacks.</p> <p>System administrators on FreeBSD are especially encouraged to update to avoid certificate validation failures when using Cargo. All users benefit from the improved reliability and security posture of the toolchain.</p> <p>The Rust team advises installing the update immediately, especially for projects in production. Users who rely on the affected features should test their code after upgrading to ensure compatibility.</p>