Git 2.55 enables Rust by default, requiring source-build environments to add a Rust toolchain as the project strengthens memory safety and prepares for mandatory Rust adoption in Git 3.0.
Git 2.55-rc0, released on 11 June 2026, has made Rust support enabled by default for the first time, marking a significant milestone in the open-source software community’s broader shift towards memory-safe programming. Any environment building Git from source will now require a Rust toolchain unless maintainers explicitly opt out using the new NO_RUST flag.
The change also sets the stage for Git 3.0, expected in late 2026, when all opt-out mechanisms will be removed and Rust will become a mandatory build dependency.
Security concerns are the primary driver behind the move. In December 2022, Git disclosed critical vulnerabilities CVE-2022-41903 and CVE-2022-23521, both linked to integer overflows and heap memory corruption that could enable remote code execution.
A January 2023 security audit by X41 D-SEC and GitLab, sponsored by the Open Source Technology Improvement Fund, uncovered additional risks including denial-of-service vulnerabilities, out-of-bounds reads and memory corruption issues, noting that “the sheer size of the codebase makes it challenging to address all potential instances of these issues.”
Rust’s ownership model and borrow checker help prevent buffer overflows, use-after-free bugs, data races and double-free errors at compile time. Git is adopting Rust incrementally rather than rewriting the entire codebase, with the initial focus on xdiff, the engine powering diff and merge operations. According to Git developer Ezekiel Newren, the Rust implementation could deliver performance improvements of 5% to 19%.
Developers, CI/CD operators and Linux distribution maintainers are now being urged to verify Rust toolchain availability, test build environments against Git 2.55-rc0 and update package dependencies ahead of the stable release.
