PT-2026-54848 · Bytecode Alliance · Wasmtime
Alexcrichton
·
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-54786
CVSS v3.1
5.0
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Wasmtime versions prior to 24.0.10
Wasmtime versions 25.0.0 through 36.0.10
Wasmtime versions 37.0.0 through 44.0.2
Wasmtime versions 45.0.0 through 45.1
Description
A resource leak exists in the native implementation of WASIp1 within the
fd renumber() function. The issue occurs because the file descriptor being renumbered is not properly closed; the implementation updates the WASIp1 descriptor table but fails to update the host's underlying descriptor table. Consequently, while the operation appears correct to the guest, resources are leaked on the host and are only reclaimed when the corresponding Store is destroyed. An attacker can repeatedly call fd renumber() in a loop to exhaust host resources and file descriptors. This issue only affects runtimes that load core WebAssembly modules, expose fd renumber(), and allow the acquisition of file descriptors, such as through file opening operations.Recommendations
Update to version 24.0.10.
Update to version 36.0.11.
Update to version 44.0.3.
Update to version 45.0.2.
Restrict the ability to acquire file descriptors, such as denying access to files, to mitigate the risk.
Fix
Missing Release of Resource after Effective Lifetime
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wasmtime