• Category: Languages
  • Status: confirmed
  • Sources: Rust blog, GitHub release, cargo PR 17140
  • Summary: The Rust Release Team announced 1.96.1 on 2026-06-30, and the GitHub release with binaries was published 2026-07-05. The point release patches three libssh2 vulnerabilities that Cargo links for SSH transport of Git dependencies: CVE-2025-15661 (heap over-read in sftp_symlink on a malformed SSH_FXP_NAME response), CVE-2026-55199 (a compute-bound spin during key exchange that hangs the client past the session timeout), and CVE-2026-55200 (an out-of-bounds write from an inflated packet_length field that can corrupt heap memory). It also fixes a miscompilation in a MIR optimization pass and a Cargo HTTP client timeout, retry, and silent-failure bug.
  • Why it matters: Cargo fetches Git dependencies over the bundled libssh2, so the out-of-bounds write reaches any developer or CI job that resolves a Git or SSH dependency from an untrusted server, and the MIR fix corrects wrong code generation.
  • Follow-up: Watch for distribution and CI toolchain images picking up 1.96.1 and for any exploitation reports against the libssh2 write primitive.

Send feedback on this story