FIND-20260403-004 · 2026-04-03 · Innovation Veille

Rust 1.94.1 — Security Patch for tar Crate CVE-2026-33055 and CVE-2026-33056

release HIGH
Rust 1.94.1 patch release (March 26, 2026) upgrades the tar crate to 0.4.45 to address two security vulnerabilities: CVE-2026-33055 and CVE-2026-33056. Additional fixes include a wasm32-wasip1-threads thread spawn fix, removal of unstable Windows fs methods, and a Clippy crash fix. ODS currently tracks Rust 1.94.1 as the known version, confirming this is already the current baseline.

Source

https://github.com/rust-lang/rust/releases/tag/1.94.1

ODS Impact

ODS services are built with Rust. If any ODS Rust service uses the tar crate directly for archive processing (e.g., document extraction in DocStore or PDF Engine), it should use tar >= 0.4.45. The rustc toolchain update to 1.94.1 is already reflected in ODS version tracking. Verify Cargo.lock files in active services do not pin an older tar version.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

rust release security cve tar
Generated by ODS Innovation Veille · 2026-04-03T07:06:48+00:00