Skip to content
Rust Releases
Rust Releases

Rust 1.96.0 patches two Cargo CVEs, and it’s the kind of “boring” release I actually love

Rust 1.96.0 patches two Cargo CVEs, and it’s the kind of “boring” release I actually love Cargo fixes CVE-2026-5222 and CVE-2026-5223 in Rust 1.96.0, and that alone makes this worth trying in staging. Remember when “just a patch update” still meant a week of CI weirdness and one mystery break in an embedded build? Rust […]

Jack Pauley June 24, 2026 6 min read
Rust 1.96.0 release notes

Rust 1.96.0 patches two Cargo CVEs, and it’s the kind of “boring” release I actually love

Cargo fixes CVE-2026-5222 and CVE-2026-5223 in Rust 1.96.0, and that alone makes this worth trying in staging.

Remember when “just a patch update” still meant a week of CI weirdness and one mystery break in an embedded build? Rust 1.96.0 feels calmer than that, but it still carries a couple of changes that deserve a deliberate rollout, especially if you ship binaries, touch third-party registries, or do any FFI on niche targets.

Highlights (what I’d tell my team first)

The thing nobody mentions is that Cargo security fixes often matter more than the compiler candy. In 1.96.0, Cargo fixes CVE-2026-5222 and CVE-2026-5223, and if you run private registries or you ingest crates from places you do not fully control, you should not sit on this.

Good news. You can still be optimistic and safe.

  • Cargo security: Rust 1.96.0 includes fixes for CVE-2026-5222 and CVE-2026-5223 in Cargo. Link these in your internal upgrade ticket so security and release engineering sign off on the same facts.
  • Better testing ergonomics: assert_matches! and debug_assert_matches! land as stabilized APIs, so you can delete a small pile of homegrown macros in test code.
  • Rustdoc gets easier to scan: Rustdoc now separates methods and associated functions in the sidebar, which makes “where is that constructor again?” noticeably faster in big APIs.
  • Embedded and toolchain heads-up: AVR c_double now maps to f32, and Rust bumps the minimum external LLVM to 21. If your CI installs LLVM from the OS package manager, check it before you burn half a day.

Deep dive: the changes that actually show up in day-to-day work

I’ve watched teams upgrade Rust and only notice the fun stuff, then get blindsided by the “tiny” compatibility lines in the release notes. So I like to split this release into two piles: stuff you will enjoy immediately, and stuff you should test once and forget.

Stabilized APIs you can use today

This is my favorite kind of progress. Rust keeps shipping small, sharp tools that remove boilerplate without changing the language vibe.

  • assert_matches! and debug_assert_matches!: Great for tests that want to pin down shape, not just equality. Early signs look good in real test suites, but I haven’t stress-tested compile times across a huge workspace yet.
  • New core::range types and related additions: If you maintain low-level libraries, these details matter because you can express intent more directly, and your docs end up cleaner.

If you want a quick taste, this is the kind of test I reach for when a function returns an enum and I only care about one field.

  • Example idea: Use assert_matches! to match Ok(value) and validate a single property without a nested match tree.

Libraries: safer iteration and a couple of sharp edges filed down

The NonZero range iteration support looks like a small library tweak, but it’s the sort of thing that quietly improves code quality. You stop writing “plus one, but do not hit zero” loops, and your intent reads straight through.

  • Ranges of NonZero integers: Useful when zero has semantic meaning and you want the type system to keep you honest.
  • SGX networking fix via ToSocketAddr: If you run SGX builds, this falls into the “thank you, future me” category. It fixes delayed host lookup behavior that can turn into annoying runtime failures.

Cargo: a nicer workflow for “dev from git, publish from registry”

So. This one makes me smile because it matches how people actually work.

Before, you often had to choose between a git dependency for active development and a registry dependency for publishing, then juggle branches or patch sections to keep everyone happy. Now Cargo allows a dependency to specify both a git repository and an alternate registry, which means you can develop against a repo locally but publish against a registry source without playing games in your manifest.

  • What to test: Run your usual cargo update and cargo publish –dry-run flows in staging CI. Dependency resolution changes rarely fail loudly. They fail at 2:00 a.m. on release night.
  • Rustdoc flags per target: The new target.’cfg(..)’.rustdocflags support helps if your docs build differs by target. That’s niche, but when you need it, you really need it.

Compatibility and breaking changes (read this if you own CI or ship to weird targets)

This bit me once: I upgraded a “safe” toolchain, then a firmware build started returning nonsense floats over FFI, and the unit tests never noticed because they ran on x86_64. Do not be that week.

  • AVR: c_double now maps to f32: If you bind to C on AVR and you assumed double behaves like a 64-bit float, review your FFI signatures and rerun hardware or emulator tests. This can change ABI and numeric behavior.
  • -Csoft-float is gone: If you still pass -Csoft-float in build scripts or CI flags, remove it and switch to target features. Grep your repo for it. It tends to hide in Dockerfiles.
  • Minimum external LLVM is 21: If you build rustc or you use an external LLVM for tooling, confirm your environment. I’ve seen “works on my laptop” fail in CI because Ubuntu LTS shipped an older LLVM.
  • BTreeMap::append() may panic with incorrect Ord: This sounds like “well, don’t implement Ord wrong,” and sure. In practice, a buggy Ord can sit in a dependency for years until a new optimization makes it explode. Run integration tests that exercise maps with your domain types.
  • Import syntax tightened: Importing structs with ::{self [as name]} no longer works. This should show up as a clean compiler error, so the fix usually feels straightforward.

Upgrade notes (optimistic, not reckless)

Do this in staging first.

For most teams, Rust 1.96.0 should upgrade like a normal stable release, and the security fixes in Cargo make it worth scheduling soon. I’d roll it out by pinning CI to 1.96.0, running the full test matrix once, then updating developer toolchains after CI stays green for a day or two.

  • Update: Run rustup update stable.
  • Verify: Run rustc –version and confirm it prints 1.96.0.
  • Build: Run cargo build in your main workspace, then run your test suite.
  • Targeted checks: If you ship AVR, SGX, or other special targets, rebuild those artifacts and run at least one real smoke test, not just a compile.

If your org uses third-party registries, read the CVE advisories for CVE-2026-5222 and CVE-2026-5223 and attach them to the upgrade PR. It keeps the conversation crisp.

Other stuff in this release: target baseline tweaks, internal JSON target validation, some doc rendering polish, the usual.

🛠️ Try These Free Tools

⚠️ K8s Manifest Deprecation Checker

Paste your Kubernetes YAML to detect deprecated APIs before upgrading.

🐳 Dockerfile Security Linter

Paste a Dockerfile for instant security and best-practice analysis.

📦 Dependency EOL Scanner

Paste your dependency file to check for end-of-life packages.

See all free tools →

Track These Releases

Rust Releases Bun Releases

Stay Updated

Get the best releases delivered monthly. No spam, unsubscribe anytime.

By subscribing you agree to our Privacy Policy.

More Rust Articles

Release Guide Jun 23, 2026
Rust 1.96.0: Maintenance Release with CVEs Fixed
Release Guide Jun 18, 2026
rust v1.96.0: Stabilized APIs & Cargo Fixes
Release Guide Jun 16, 2026
rust v1.96.0: Maintenance and Security
Release Guide Jun 15, 2026
rust v1.96.0: Maintenance & Security Fixes
View all Rust releases →