FIND-20260329-001 · 2026-03-29 · Innovation Veille

Rust 1.94.1 released — patches CVE-2026-33056 (tar crate privilege escalation via Cargo)

release HIGH
Rust 1.94.1 was released on 2026-03-26, shipping a patched version of the tar crate to fix CVE-2026-33056. The vulnerability allowed a malicious crate to change permissions on arbitrary directories when Cargo extracted it during a build. crates.io users are protected (the registry blocked exploitative uploads on 2026-03-13 and audited all past crates), but users of alternate private registries should verify their posture. Last known version in last-versions.json was also 1.94.1 (already tracked from 2026-03-28 scan), no version delta.

Source

https://github.com/rust-lang/rust/releases/tag/1.94.1

ODS Impact

ODS builds Rust services (billing-engine, oid, pdf-engine, docstore) via Cargo. Rust 1.94.1 is the current stable — no upgrade needed. The CVE is separately tracked. All ODS services use crates.io; risk is LOW.

Security Review

License: Apache-2.0 / MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

rust release security cargo cve-fix
Generated by ODS Innovation Veille · 2026-03-29T01:01:02+00:00