Top stories
Rust 1.96.1 patches three libssh2 CVEs and a MIR miscompilation
- Category: Languages
- Status: confirmed
- Sources: Rust blog, GitHub release, cargo PR 17140
- Summary: The Rust Release Team announced 1.96.1 on 2026-06-30, and the GitHub release with binaries was published 2026-07-05. The point release patches three libssh2 vulnerabilities that Cargo links for SSH transport of Git dependencies: CVE-2025-15661 (heap over-read in
sftp_symlinkon a malformedSSH_FXP_NAMEresponse), CVE-2026-55199 (a compute-bound spin during key exchange that hangs the client past the session timeout), and CVE-2026-55200 (an out-of-bounds write from an inflatedpacket_lengthfield that can corrupt heap memory). It also fixes a miscompilation in a MIR optimization pass and a Cargo HTTP client timeout, retry, and silent-failure bug. - Why it matters: Cargo fetches Git dependencies over the bundled libssh2, so the out-of-bounds write reaches any developer or CI job that resolves a Git or SSH dependency from an untrusted server, and the MIR fix corrects wrong code generation.
- Follow-up: Watch for distribution and CI toolchain images picking up 1.96.1 and for any exploitation reports against the libssh2 write primitive.