FIND-20260325-009 · 2026-03-25 · Innovation Veille

Rust 1.94.1 incoming March 26 — patches CVE-2026-33056 in Cargo

release HIGH
Rust 1.94.1 is scheduled for release on March 26, 2026, as a patch release specifically to address CVE-2026-33056 in the tar-rs crate used by Cargo. This is an out-of-cycle security patch — Rust 1.94.0 was released March 5. Developers and CI pipelines should update immediately when 1.94.1 drops. The fix upgrades tar-rs to 0.4.45+.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

All ODS Rust services (oid, billing-engine, pdf-engine, docstore, etc.) build with Cargo. The vulnerability allows a malicious crate to chmod arbitrary filesystem directories during extraction. Update rustup on all build machines and CI runners to 1.94.1 as soon as it releases on March 26.

Security Review

License: MIT AND Apache-2.0 | Maintenance: ACTIVE | Risk: LOW | Recommendation: ADOPT

Tags

rust cargo release security patch supply-chain
Generated by ODS Innovation Veille · 2026-03-25T07:08:01+00:00