Rust 1.96.0 pre-release build opens testing for Cargo fixes

A Cargo security fix was on the line as Rust 1.96.0 entered its final test window, and the Rust Release Team put the candidate stable build in front of users before the May 28 ship date. The pre-release notice went out on May 26, 2026, and pointed testers to the 2026-05-26 dist index so they could validate the build before the release locked in.

The team told users to test with RUSTUP_DIST_SERVER=dev-static.rust-lang.org rustup update stable, a simple instruction that turned the pre-release into a real smoke test for downstream maintainers, CI owners, and package authors. It also sent feedback traffic in two directions at once: the Rust Internals thread for immediate reactions, and a GitHub issue for broader discussion of possible changes to the pre-release process. The announcement thread had 7 replies and 442 views when indexed, enough to show that the notice reached beyond the release team’s own channel.

That testing mattered because 1.96.0 was not just another point release. The May 28 announcement confirmed the stable release landed on schedule, and the notes included new stable range types, new assert_matches! and debug_assert_matches! macros, and a Cargo change that lets a dependency specify both a git repository and an alternate registry. For anyone carrying Rust into production, that mix of language, library, and package-manager changes meant the pre-release build was the safest place to catch incompatibilities before the official handoff.

The Cargo side carried extra urgency. On May 25, 2026, the Rust Project published CVE-2026-5223, a vulnerability affecting all Cargo versions shipped before Rust 1.96.0. The advisory said Cargo had incorrectly handled symlinks inside crate tarballs downloaded from third-party registries, and that Rust 1.96.0 would update Cargo to reject extracting any symlink. crates.io users were not affected because crates.io forbids symlinks in uploaded crates. Christos Papakonstantinou reported the issue, Josh Triplett developed the fix, and Emily Albini wrote the advisory while Emily Albini, Josh Stone, and Manish Goregaokar coordinated disclosure.

Rust 1.96.0’s pre-release did what the best release candidates always do: it turned the last stretch before shipping into a public stress test. The same pattern had already appeared with Rust 1.95.0 on April 13 and Rust 1.93.0 on January 21, showing that this is not an emergency ritual so much as part of the Rust release train itself, one more place where the ecosystem gets to prove the next stable build is ready before it becomes the default.