Rust 1.94.1 Patch Release Brings Stability and Security Improvements

Rust 1.94.1 resolves three regressions introduced in the 1.94.0 release, and the most pressing reason to update isn't a compiler crash or a broken API — it's two security vulnerabilities sitting inside your build toolchain right now.

Cargo's tar dependency was bumped to version 0.4.45, resolving CVE-2026-33055 and CVE-2026-33056. The updated tar library addresses archive extraction vulnerabilities that could compromise local builds. Users accessing crates.io directly are not affected by these flaws, but anyone running offline toolchains or managing their own package registries needs this patch immediately.

The two remaining regressions are platform-specific but sharp. Unstable methods that were inadvertently added to `std::os::windows::fs::OpenOptionsExt` have been removed; the trait itself is not sealed and therefore cannot be extended with non-default methods, meaning their presence in 1.94.0 created incorrect assumptions for any codebase that picked them up. On the Cargo side, `curl-sys` was downgraded to version 0.4.83, fixing a certificate validation error for some users on certain versions of FreeBSD.

The Rust Release Team published 1.94.0 on March 5, 2026, packing in the new `array_windows` slice iterator, TOML v1.1 support in Cargo manifests, and a batch of stabilized APIs. The pace from feature release to point release — just three weeks — reflects how seriously the team treats regressions that ship to stable.

If you have a previous version of Rust installed via rustup, getting 1.94.1 is as easy as running `rustup update stable`. The three fixes are surgical; nothing about your existing code or Cargo.toml configuration changes with this update. The only risk is in not running it.