PT-2026-56584 · Bytecode Alliance · Wasmtime

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-58494

CVSS v3.1

6.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.

Fix

Improper Preservation of Permissions

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58494

Affected Products

Wasmtime