Directory Permission Flaw in Wasmtime Runtime for WebAssembly by Bytecode Alliance
CVE-2026-58494
6.5MEDIUM
What is CVE-2026-58494?
A directory permission flaw exists in Wasmtime prior to specified versions, where checks during hard-link creation and renaming do not properly enforce permissions between the source and destination preopens. This vulnerability allows a WASI guest with read-only access to a source file to overwrite host files that are accessible through FilePerms::READ using the wasip1, wasip2, or wasip3 filesystem interfaces. It highlights the importance of robust permission verification in secure runtime environments.
Affected Version(s)
wasmtime < 24.0.11 < 24.0.11
wasmtime >= 25.0.0, < 36.0.12 < 25.0.0, 36.0.12
wasmtime >= 37.0.0, < 45.0.3 < 37.0.0, 45.0.3
