PT-2026-54848 · Bytecode Alliance · Wasmtime

Alexcrichton

·

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-54786

CVSS v3.1

5.0

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 24.0.10 Wasmtime versions 25.0.0 through 36.0.10 Wasmtime versions 37.0.0 through 44.0.2 Wasmtime versions 45.0.0 through 45.1
Description A resource leak exists in the native implementation of WASIp1 within the fd renumber() function. The issue occurs because the file descriptor being renumbered is not properly closed; the implementation updates the WASIp1 descriptor table but fails to update the host's underlying descriptor table. Consequently, while the operation appears correct to the guest, resources are leaked on the host and are only reclaimed when the corresponding Store is destroyed. An attacker can repeatedly call fd renumber() in a loop to exhaust host resources and file descriptors. This issue only affects runtimes that load core WebAssembly modules, expose fd renumber(), and allow the acquisition of file descriptors, such as through file opening operations.
Recommendations Update to version 24.0.10. Update to version 36.0.11. Update to version 44.0.3. Update to version 45.0.2. Restrict the ability to acquire file descriptors, such as denying access to files, to mitigate the risk.

Fix

Missing Release of Resource after Effective Lifetime

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54786

Affected Products

Wasmtime