Rust 1.94.1: Key Fixes and Security Update – Q&A

<p>Rust 1.94.1 is a point release that addresses several regressions introduced in version 1.94.0, along with a security fix. This update is recommended for all users. If you already have Rust installed via <code>rustup</code>, simply run <code>rustup update stable</code> to upgrade. Below, we answer common questions about what’s new in this patch.</p> <h2 id="q1">How do I update to Rust 1.94.1?</h2> <p>Updating to the latest stable release is straightforward. Open your terminal and run:</p><figure style="margin:20px 0"><img src="https://www.rust-lang.org/static/images/rust-social-wide.jpg" alt="Rust 1.94.1: Key Fixes and Security Update – Q&amp;A" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.rust-lang.org</figcaption></figure> <pre><code>rustup update stable</code></pre> <p>This command will fetch Rust 1.94.1 and set it as your default toolchain. If you don’t have <code>rustup</code> installed, you can get it from the official Rust website. The process takes only a few seconds and your existing projects will continue to work seamlessly.</p> <h2 id="q2">What regressions were fixed in Rust 1.94.1?</h2> <p>This point release resolves three regressions that were accidentally introduced in Rust 1.94.0:</p> <ul> <li><strong>Fix <code>std::thread::spawn</code> on <code>wasm32-wasip1-threads</code></strong> – A bug that prevented spawning threads on this WebAssembly target was corrected.</li> <li><strong>Removed new methods from <code>std::os::windows::fs::OpenOptionsExt</code></strong> – Unstable extension methods were added in 1.94.0, but the trait is not sealed, making extension impossible. These were reverted.</li> <li><strong>Clippy: fix ICE in <code>match_same_arms</code></strong> – An internal compiler error (ICE) that occurred when using Clippy’s <code>match_same_arms</code> lint was fixed.</li> <li><strong>Cargo: downgraded <code>curl-sys</code> to 0.4.83</strong> – This addresses certificate validation errors on some FreeBSD versions.</li> </ul> <h2 id="q3">Why was the <code>std::thread::spawn</code> fix important for WebAssembly?</h2> <p>The <code>wasm32-wasip1-threads</code> target allows Rust programs to use native threads on WebAssembly runtimes that support the WASI threading model. The regression in 1.94.0 broke <code>std::thread::spawn</code>, causing applications that rely on multi-threading to fail. By fixing this, Rust 1.94.1 restores the ability to build concurrent WebAssembly modules. This is especially important for developers working on server-side Wasm or high-performance web applications that need parallelism.</p> <h2 id="q4">What happened with the <code>OpenOptionsExt</code> new methods on Windows?</h2> <p>In Rust 1.94.0, unstable methods were added to <code>std::os::windows::fs::OpenOptionsExt</code>. However, because the trait is <em>not sealed</em>, it cannot be extended with non-default methods without breaking backward compatibility. The Rust team decided to remove these methods to preserve the trait’s extensibility and avoid future issues. Developers who were using these unstable features may need to adjust their code, but no stable API was affected.</p> <h2 id="q5">What was the Clippy ICE fix about?</h2> <p>The Clippy lint <code>match_same_arms</code> detects when multiple match arms have identical bodies. In Rust 1.94.0, running this lint could trigger an internal compiler error (ICE), crashing Clippy. The fix in 1.94.1 corrects the span handling within the lint, so it now runs reliably. This allows developers to continue using Clippy’s powerful code quality checks without unexpected crashes.</p> <h2 id="q6">What security fixes are included in this release?</h2> <p>Cargo has updated the <code>tar</code> dependency to version 0.4.45 to resolve two vulnerabilities: <strong>CVE-2026-33055</strong> and <strong>CVE-2026-33056</strong>. These CVEs affect how tar archives are extracted, but users of <code>crates.io</code> are not impacted directly. The fix ensures that Cargo’s archive handling remains secure. Additionally, the downgrade of <code>curl-sys</code> to version 0.4.83 resolves certificate validation failures on some FreeBSD systems. No other security changes were made.</p> <h2 id="q7">Who contributed to Rust 1.94.1?</h2> <p>Many community members and the Rust team collaborated to deliver this point release. Contributors filed bug reports, submitted patches, and reviewed changes. The Rust project thanks everyone who helped identify and fix these regressions and security issues. Without such active community involvement, delivering a stable and secure toolchain would be far more challenging. If you’re interested in contributing, check out the <a href="https://github.com/rust-lang/rust">Rust repository on GitHub</a>.</p>