Rust 1.96 is now available as the latest stable release of the Rust programming language, bringing new range types, stabilized assertion macros, a WebAssembly linker behavior change, and fixes for two Cargo vulnerabilities affecting third-party registries.
The most notable change in this update is the stabilization of new core::range::Range* types. Until now, Rust’s range types from core::ops implemented Iterator directly, preventing them from being Copy. This has been inconvenient when developers want to store range values inside lightweight copyable types.
Rust 1.96 addresses this by stabilizing new replacement range types under core::range, including Range, RangeFrom, and RangeInclusive with their associated iterators. These types implement IntoIterator instead of Iterator, allowing them to be Copy.
For now, range syntax like 0..1 still produces the legacy range types. The Rust team says this syntax will move to the new core::range types in a future edition. Library authors are advised to use impl RangeBounds in public APIs to support both old and new range types.
The release also stabilizes the assert_matches! and debug_assert_matches! macros. These check whether a value matches a pattern and print the value’s Debug representation when the assertion fails. They provide more useful diagnostics than a plain assert!(matches!(...)) check.
The new macros are not in Rust’s standard prelude because that would conflict with third-party crates providing macros with the same names. Developers must import them manually from core or std.
Rust 1.96 also changes how WebAssembly targets are linked. The compiler no longer passes --allow-undefined to the linker by default, so undefined symbols are treated as linker errors instead of being converted into WebAssembly imports from the "env" module.
The Rust team says the change aims to catch build-time bugs and misconfigurations earlier, especially missing symbols or naming issues. Projects relying on the previous behavior can restore it with RUSTFLAGS=-Clink-arg=--allow-undefined or by using #[link(wasm_import_module = "env")] in the source code.
On the tooling side, Rust 1.96 includes Cargo fixes for two vulnerabilities affecting users of third-party registries. CVE-2026-5223 is a medium-severity issue involving extraction of crate tarballs with symlinks. CVE-2026-5222 is a low-severity issue related to authentication with normalized URLs. The Rust team says crates.io users are not affected.
Other stabilized APIs in this release include From<T> implementations for AssertUnwindSafe<T>, LazyCell<T, F>, and LazyLock<T, F>, along with additional core::range APIs such as RangeToInclusive, RangeToInclusiveIter, RangeFromIter, and RangeIter.
For additional details, see the announcement.
Users with an existing Rust installation can upgrade to the new version by running rustup update stable.
