Skip to content
Rust Releases
Rust Releases

Rust 1.96.0 release notes: security fixes and compatibility changes

Rust 1.96.0 release notes: security fixes and compatibility changes Rust 1.96.0 shipped on June 2, 2026 with two Cargo security fixes and a set of target and toolchain compatibility updates, according to the release notes. TL;DR In short: Upgrade if you use Cargo with git and registry dependencies or you need the LoongArch and RISC-V […]

Jack Pauley June 2, 2026 6 min read
Rust 1.96.0 release notes

Rust 1.96.0 release notes: security fixes and compatibility changes

Rust 1.96.0 shipped on June 2, 2026 with two Cargo security fixes and a set of target and toolchain compatibility updates, according to the release notes.

TL;DR

In short: Upgrade if you use Cargo with git and registry dependencies or you need the LoongArch and RISC-V target updates. Stage the rollout if you ship to AVR, wasm, or you build Rust from source with a pinned LLVM.

Key changes

  • Security (Cargo): Rust 1.96.0 includes fixes for CVE-2026-5222 and CVE-2026-5223, according to the release notes.
  • Compatibility: The release updates the minimum external LLVM to 21 and changes AVR c_double to f32, the notes say.
  • Tooling: Cargo can now specify both a git repository and an alternate registry for one dependency.
  • Stabilized APIs: The release stabilizes assert_matches! and debug_assert_matches!, plus multiple range iterator APIs.
  • Targets: The compiler enables link relaxation for LoongArch Linux targets and updates the riscv64gc-unknown-fuchsia baseline to RVA22 plus vector.

Details

Security fixes in Cargo

The Cargo team fixed CVE-2026-5222 and CVE-2026-5223 in Rust 1.96.0, according to the release notes. The notes do not spell out full impact in this summary, so security teams should review the linked advisories before rollout.

Fast check. Run your CI with the new toolchain and a clean lockfile update if your policy allows it.

Language, compiler, and library updates

The language changes include passing expr metavariables to cfg, always coercing never types in tuple expressions, and adding support for s390x vector registers in inline assembly, according to the notes. The release also fixes a Rust 1.94.0 regression by allowing constants of type ManuallyDrop as patterns.

In the standard library, Rust 1.96.0 adds support for iterating over ranges of NonZero integers and adjusts the “valid for read/write” definition to exclude null, the release notes say. The notes also cite a fix for SGX delayed host lookup via ToSocketAddr.

Cargo and Rustdoc behavior

Cargo now allows a dependency to include both a git source and an alternate registry source in Cargo.toml. The team describes the behavior as “git locally, registry on publish,” in the usage guidance included with this release summary.

Rustdoc now renders deprecation notes like other documentation and stops emitting missing_doc_code_examples on impl items, according to the notes. It also separates methods and associated functions in the sidebar.

Compatibility notes and breaking changes to watch

Rust 1.96.0 changes behavior in several places that can break builds, especially on niche targets and custom toolchains. Some teams treat “stable” as “drop it into CI the same day.” Embedded teams usually do not.

  • AVR ABI change: On AVR targets, c_double now maps to f32 instead of f64, the notes say. Projects with FFI bindings should update generated bindings and rerun target-specific tests.
  • Compiler flag removal: The compiler removes -Csoft-float. The notes recommend using target features to control floating-point behavior.
  • Import syntax: Importing structs with ::{self} is now disallowed. The release notes suggest replacing it with a type alias or a standard import.
  • Link attribute precedence: If multiple export_name, link_name, or link_section attributes exist, the first now takes precedence, according to the notes.
  • Toolchain floor: The minimum external LLVM moves to 21. This mainly hits teams that build Rust from source or ship custom toolchains.

Other items in the compatibility list include stopping –allow-undefined on wasm targets, gating an accidentally stabilized #![reexport_test_harness_main], and new errors for too-private RPITIT types. There’s probably a corner case here that only shows up in a monorepo at 2 a.m., but…

Background

The Rust project describes 1.96.0 as a maintenance release with incremental improvements, plus security fixes in Cargo. The official release notes also list stabilized APIs including LazyCell, LazyLock, and several core::range iterator types.

For upgrades, the common path uses rustup: run rustup update stable, then verify with rustc –version. The full upstream notes for Rust 1.96.0 are available on GitHub.

🛠️ Try These Free Tools

📦 Dependency EOL Scanner

Paste your dependency file to check for end-of-life packages.

🗺️ Upgrade Path Planner

Plan your upgrade path with breaking change warnings and step-by-step guidance.

🔒 CVE Dashboard

Real-time CVE feed filtered by technology and severity.

See all free tools →

Track These Releases

Rust Releases

Stay Updated

Get the best releases delivered monthly. No spam, unsubscribe anytime.

By subscribing you agree to our Privacy Policy.

More Rust Articles

Release Guide Jan 28, 2026
Rust v1.93.0: SIMD, Variadic Functions, Platform Support
View all Rust releases →