FIND-20260329-019 · 2026-03-29 · Innovation Veille

Rust 1.94.1 released — patches CVE-2026-33055 and CVE-2026-33056 in Cargo tar dependency

release MEDIUM
Rust 1.94.1 was released March 26, 2026 as a patch release. It updates Cargo's tar dependency to version 0.4.45, fixing CVE-2026-33055 and CVE-2026-33056 (arbitrary directory permission modification via symlink following). Additional fixes include std::thread::spawn on wasm32-wasip1-threads and removal of unstable Windows fs methods. Clippy received an ICE fix. Previous known version in last-versions.json was 1.94.1 — no version bump needed, confirming ODS is tracking the correct latest.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

All ODS Rust services should ensure their CI/CD GitHub Actions workflows use rust-toolchain = 1.94.1 or stable pointing to this version. No code changes required — only toolchain pin update.

Security Review

License: MIT/Apache-2.0 | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

rust release cargo security-fix toolchain
Generated by ODS Innovation Veille · 2026-03-29T09:06:04+00:00