Announcing Rust 1.96

The Rust programming language has released version 1.96.0, introducing stable range types, new macros for pattern matching, and changes to WebAssembly linking behavior, marking significant updates for developers relying on Rust’s safety features.

The release stabilizes new range types from RFC3550, including core::range::Range, RangeFrom, and RangeInclusive, enabling safer and more flexible slice handling. It also adds assert_matches! and debug_assert_matches! macros for improved pattern matching diagnostics, which require manual import to avoid conflicts with third-party crates. Additionally, WebAssembly targets no longer allow undefined symbols during linking unless explicitly re-enabled, reducing bugs and misconfigurations. The update also addresses two security vulnerabilities (CVE-2026-5223 and CVE-2026-5222) related to crate tarball extraction and URL normalization, though affected users are primarily third-party registry users, not crates.io users.

Why It Matters

This update enhances Rust’s safety and developer ergonomics, particularly through the stabilization of range types and pattern matching macros. The WebAssembly change improves build reliability and security by catching linking issues earlier. Security fixes further reinforce Rust’s commitment to safe, reliable software development, making this a noteworthy release for both core language users and those working with WebAssembly and third-party crates.

Background

Rust 1.96.0 follows a series of releases focused on stabilizing RFCs related to range types and pattern matching macros introduced in previous proposals. The stable release of core::range types addresses longstanding expectations for range behavior and storage. The pattern matching macros respond to common developer needs for clearer diagnostics. The WebAssembly linking change aligns with ongoing efforts to improve module security and correctness. Prior to this, Rust versions included various updates to language features, security patches, and tooling improvements, reflecting a steady evolution of the language.

“We’re excited to announce Rust 1.96.0, which stabilizes new range types, adds useful pattern matching macros, and improves WebAssembly linking security.”

— The Rust team

“Stabilizing these range types and macros helps developers write safer, more expressive code while reducing common bugs.”

— Rust language developer

What Remains Unclear

It is not yet clear how widely adopted the new range types and macros will become in existing codebases, or whether future editions will further modify range syntax. The impact of the WebAssembly linking change on legacy modules or specific build configurations remains to be seen, as some users may need to explicitly re-enable the old behavior.

What’s Next

Developers are encouraged to update their toolchains to Rust 1.96.0 and test their code with the new range types and macros. Future releases may include additional features or adjustments based on community feedback. The Rust team is also monitoring the security fixes’ impact on third-party ecosystem tools and crates.

Key Questions

What are the main new features in Rust 1.96.0?

Stable range types (Range, RangeFrom, RangeInclusive), new pattern matching macros (assert_matches!, debug_assert_matches!), and WebAssembly linking behavior changes.

How do I get Rust 1.96.0?

If you have rustup installed, run rustup update stable. You can also download it from the official Rust website or use the beta/nightly channels for testing upcoming features.

Are there any security concerns addressed in this release?

Yes, Rust 1.96.0 fixes two vulnerabilities (CVE-2026-5223 and CVE-2026-5222) related to crate tarball extraction with symlinks and URL normalization, primarily affecting third-party registry users.

Will the new range types replace the legacy ones?

Yes, the new core::range types are intended to become the default in future editions, although legacy range syntax like 0..1 still produces the old types for now.

Source: Hacker News