Back to overview

CVE-2026-58494

MEDIUM
6.5
CVSS 3.1
Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.

Metadata

CVE ID
CVE-2026-58494
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-30 20:21 UTC
Published
2026-07-08 20:22 UTC
Last updated
2026-07-08 20:22 UTC
Primary CWE
CWE-281
CWE-281: Improper Preservation of Permissions
Vendor / Product
bytecodealliance / wasmtime
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
bytecodealliance wasmtime < 24.0.11, >= 25.0.0, < 36.0.12, >= 37.0.0, < 45.0.3, >= 46.0.0, < 46.0.1
Weakness (CWE)
CWESourceDescription
CWE-281 cna CWE-281: Improper Preservation of Permissions
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
References (9)
Back to overview