Rust 1.96.0 Release Notes: CVEs Fixed & New APIs

Rust 1.96.0 shipped on May 28, 2026. This maintenance release packs backend improvements, bug fixes, and a handful of stabilized APIs. The rust 1.96.0 release notes highlight changes to the compiler, libraries, Cargo, and rustdoc. It also includes important compatibility notes and security fixes. Expect smoother builds and safer code.

This maintenance release is recommended for all Rust users. It patches two CVEs in Cargo, stabilizes several APIs, and fixes lingering bugs. The update also enforces stricter layout rules and removes the deprecated -Csoft-float flag.

What Changed

Language: Allow passing expr metavariable to cfg. Coerce never types in tuple expressions. Support s390x vector registers in inline assembly.
Compiler: Enable link relaxation for LoongArch Linux targets. Update riscv64gc-unknown-fuchsia baseline to RVA22 + vector.
Libraries: Support iterating over ranges of NonZero integers. Fix SGX delayed host lookup via ToSocketAddr.
Stabilized APIs: assert_matches!, debug_assert_matches!, From<T> for AssertUnwindSafe<T>, From<T> for LazyCell<T, F>, From<T> for LazyLock<T, F>, and new range types.
Cargo: Allow a dependency to specify both a git repository and an alternate registry. Added target-specific rustdocflags support. Fixed CVE-2026-5222 and CVE-2026-5223.
Rustdoc: Deprecation notes now render like any other documentation. Separate methods and associated functions in sidebar.
Compatibility Notes: Fix layout of #[repr(Int)] enums. Prevent unsize-coercing into Pin<Foo>. Stop passing --allow-undefined on wasm targets. Update minimum external LLVM to 21. On AVR targets, c_double now maps to f32. Remove -Csoft-float.

Why It Matters

Maintenance release: no specific user-facing features changed, but the compiler and toolchain gain stability and security.
The CVE fixes make this a critical update for any project using Cargo with registries or git dependencies.
Stabilized APIs like assert_matches! and new range types reduce boilerplate and make code safer.
Breaking changes (e.g., c_double on AVR) ensure correct behavior across platforms.

Who Should Upgrade

This release is particularly relevant for API developers building integrations, DevOps teams managing deployments, and anyone using Cargo with external registries. The two CVEs patched in Cargo mean all projects should upgrade immediately. Users on AVR targets or those relying on -Csoft-float need to adjust their code.

How to Upgrade

Update your Rust toolchain: run rustup update stable.
Verify the installed version: rustc --version should print rustc 1.96.0.
For projects using Cargo, run cargo update to refresh the lock file with the fixed Cargo.
Test your project: cargo test to ensure no regressions from the compatibility changes.

Usage Examples

assert_matches! macro: Use this stabilized macro to assert that a value matches a pattern. It produces a clear panic message on failure.
NonZero range iteration: Iterate over ranges of NonZero integers directly, avoiding manual filter checks for zero.
Cargo alternate registry: Specify both a git repository and an alternate registry in a dependency. The git repo is used locally, the registry version on publish.

Breaking Changes

c_double on AVR targets: Now f32 instead of f64 to match C’s double. Update any external FFI code.
Remove -Csoft-float: This compiler flag is removed. Use target features instead.
Import restriction: use S::{self as Other} is no longer permitted.
Layout fix for repr(Int) enums: May affect code relying on previous (incorrect) layout.
Minimum LLVM version: Now LLVM 21. Older LLVM installations will not work.

Known Issues

No known issues reported in the official rust 1.96.0 release notes.
Developers are encouraged to monitor the Rust issue tracker for post-release reports.