Rust 1.96.1
Rust 1.96.1 has been released — a point release that focuses on fixing regressions, patching security vulnerabilities, and improving the reliability of Cargo.
What Changed
The Rust team published version 1.96.1 on June 30, 2026, just over a month after the 1.96.0 stable release. Unlike its predecessor, which introduced new language features and ecosystem expansions, 1.96.1 is squarely a maintenance release aimed at stability.
The headline fixes address three areas: Cargo's HTTP client, a miscompilation in MIR optimization, and three security vulnerabilities in libssh2 — a dependency compiled into Cargo.
Cargo HTTP Retries and Timeouts
One of the most user-facing fixes in Rust 1.96.1 involves Cargo's HTTP client. In certain network conditions — flaky Wi-Fi, proxy timeouts, or rate-limited registries — Cargo would fail to retry requests when it should have. The result: spurious build failures on CI pipelines and developer machines alike.
The fix ensures that Cargo properly retries failed HTTP requests with appropriate backoff, and respects timeout configurations more strictly. Developers working in environments with unreliable connectivity should see a noticeable reduction in "failed to fetch" errors.
MIR Miscompilation Fix
A more subtle but critical fix lands in the compiler's Mid-level Intermediate Representation optimization pass. The bug could produce incorrect machine code in certain edge cases involving borrow-checker elision and inlining. While the Rust team's testing suggests the miscompilation was rare in practice, its consequences — undefined behavior from safe code — made it a high-priority item.
The fix was reviewed extensively and includes regression guards in the compiler test suite to prevent similar issues from surfacing in future releases.
Security Patches in libssh2
Three CVEs affecting libssh2 — the library Cargo uses for Git-over-SSH operations — have been patched in this release. These include a use-after-free in the SSH channel handling code and two additional memory corruption issues in packet parsing.
These vulnerabilities could potentially be exploited by a malicious Git server when fetching dependencies over SSH. Users relying on HTTPS-based registries — the default for crates.io — are less exposed, but the Rust team recommends upgrading regardless.
How to Update
If you have Rust installed via rustup, updating is straightforward:
rustup update stable
This will bring you to Rust 1.96.1. Verify your version with rustc --version, which should report rustc 1.96.1.
For those managing Rust through package managers, binaries should appear on the official download page shortly. The full changelog is available on the Rust GitHub repository and the official blog.