Rust 1.94.1 Patch Release: Key Fixes and Security Update Explained
By
<p>Rust 1.94.1 is a minor point release that addresses three regressions introduced in version 1.94.0 along with a critical security fix. This update ensures continued stability for Rust users, particularly those on <code>wasm32-wasip1-threads</code>, Windows, or FreeBSD systems. If you already have Rust installed via <code>rustup</code>, simply run <code>rustup update stable</code> to upgrade. Below are the most important changes and fixes you need to know.</p>
<nav role="navigation" aria-label="Table of Contents">
<ul>
<li><a href="#q1">How do I update to Rust 1.94.1?</a></li>
<li><a href="#q2">What regressions does Rust 1.94.1 fix?</a></li>
<li><a href="#q3">What was fixed for <code>std::thread::spawn</code> on <code>wasm32-wasip1-threads</code>?</a></li>
<li><a href="#q4">Why were new methods removed from <code>OpenOptionsExt</code> on Windows?</a></li>
<li><a href="#q5">What Clippy issue was resolved in this release?</a></li>
<li><a href="#q6">Why did Cargo downgrade <code>curl-sys</code>?</a></li>
<li><a href="#q7">What security fixes does Rust 1.94.1 include?</a></li>
</ul>
</nav>
<h2 id="q1">How do I update to Rust 1.94.1?</h2>
<p>If you already have Rust installed via <code>rustup</code>, updating is simple. Open your terminal and run:</p><figure style="margin:20px 0"><img src="https://www.rust-lang.org/static/images/rust-social-wide.jpg" alt="Rust 1.94.1 Patch Release: Key Fixes and Security Update Explained" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.rust-lang.org</figcaption></figure>
<pre><code>rustup update stable</code></pre>
<p>This command will automatically download and install Rust 1.94.1. If you don't have <code>rustup</code> yet, you can get it from the official Rust website. After updating, you can verify the new version by running <code>rustc --version</code>, which should show <code>1.94.1</code>.</p>
<h2 id="q2">What regressions does Rust 1.94.1 fix?</h2>
<p>Version 1.94.1 resolves three specific regressions that were introduced in the previous 1.94.0 release. These regressions affected different parts of the Rust ecosystem:</p>
<ul>
<li><strong>WebAssembly threading:</strong> A fix for <code>std::thread::spawn</code> on the <code>wasm32-wasip1-threads</code> target.</li>
<li><strong>Windows filesystem API:</strong> Removal of newly added unstable methods in <code>OpenOptionsExt</code> that broke the trait’s contract.</li>
<li><strong>Clippy:</strong> An internal compiler error (ICE) in the <code>match_same_arms</code> lint was eliminated.</li>
</ul>
<p>These fixes restore expected behavior for users affected by the regressions.</p>
<h2 id="q3">What was fixed for <code>std::thread::spawn</code> on <code>wasm32-wasip1-threads</code>?</h2>
<p>Rust 1.94.0 introduced a regression that broke <code>std::thread::spawn</code> on the <code>wasm32-wasip1-threads</code> target, a platform for WebAssembly with threading support. The issue caused threads to fail to spawn correctly, limiting concurrent execution on that target. The Rust team identified the problem and applied a targeted fix in 1.94.1. If you are building applications that rely on WebAssembly threads using this target, updating will restore full threading functionality. No further configuration changes are needed.</p>
<h2 id="q4">Why were new methods removed from <code>OpenOptionsExt</code> on Windows?</h2>
<p>In Rust 1.94.0, several new methods were added to the <code>std::os::windows::fs::OpenOptionsExt</code> trait. While these methods were marked as unstable, the trait itself is not sealed—meaning external implementations could exist. Adding non-default methods to an unsealed trait is a breaking change under Rust’s stability guarantees. To maintain compatibility and avoid unintended breakage for any existing external implementations, the Rust team removed these methods in 1.94.1. The methods may be reintroduced in a future release through a proper RFC or by sealing the trait.</p>
<h2 id="q5">What Clippy issue was resolved in this release?</h2>
<p>Clippy, Rust’s linter, experienced an internal compiler error (ICE) when processing certain code patterns involving the <code>match_same_arms</code> lint. This lint flags arms in a match expression that are identical. The ICE occurred in specific edge cases, causing Clippy to crash instead of providing useful feedback. The fix in Rust 1.94.1 resolves the ICE, allowing Clippy to run smoothly again. Users who encountered Clippy crashes after upgrading to 1.94.0 should now see normal behavior. Just update Rust and re-run <code>cargo clippy</code> on your projects.</p>
<h2 id="q6">Why did Cargo downgrade <code>curl-sys</code>?</h2>
<p>In Rust 1.94.0, Cargo updated its dependency on <code>curl-sys</code> to a newer version. However, that update caused certificate validation errors for some users on certain versions of FreeBSD. These errors prevented Cargo from fetching or publishing crates. To restore correct behavior, Rust 1.94.1 downgrades <code>curl-sys</code> from the problematic version back to 0.4.83, which works reliably on FreeBSD. If you are on FreeBSD and experienced HTTPS-related errors with Cargo, this fix will resolve them. Users on other operating systems should see no change in functionality.</p>
<h2 id="q7">What security fixes does Rust 1.94.1 include?</h2>
<p>Rust 1.94.1 updates the <code>tar</code> crate to version 0.4.45 within Cargo. This update addresses two security vulnerabilities: <strong>CVE-2026-33055</strong> and <strong>CVE-2026-33056</strong>. These vulnerabilities could potentially be exploited when unpacking specially crafted tar archives. Notably, users of <code>crates.io</code> are <strong>not affected</strong> because the server-side handling is separate. Only users directly processing tar files via Cargo (e.g., when unpacking crate tarballs) are impacted. While the risk is low for typical workflows, the Rust team strongly recommends updating to 1.94.1 to ensure full protection. For more details, please see the official security advisory blog post.</p>
Tags: