Directory Permission Flaw in Wasmtime Runtime for WebAssembly by Bytecode Alliance
CVE-2026-58494

6.5MEDIUM

Key Information:

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-58494?

A directory permission flaw exists in Wasmtime prior to specified versions, where checks during hard-link creation and renaming do not properly enforce permissions between the source and destination preopens. This vulnerability allows a WASI guest with read-only access to a source file to overwrite host files that are accessible through FilePerms::READ using the wasip1, wasip2, or wasip3 filesystem interfaces. It highlights the importance of robust permission verification in secure runtime environments.

Affected Version(s)

wasmtime < 24.0.11 < 24.0.11

wasmtime >= 25.0.0, < 36.0.12 < 25.0.0, 36.0.12

wasmtime >= 37.0.0, < 45.0.3 < 37.0.0, 45.0.3

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.