Description
Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.
Published: 2026-07-08
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-280
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 08 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Wed, 08 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.
Title Wasmtime: WASI hard links bypass wasmtime-wasi's FilePerms for destination
Weaknesses CWE-281
CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N'}


Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-09T13:28:57.055Z

Reserved: 2026-06-30T20:21:25.812Z

Link: CVE-2026-58494

cve-icon Vulnrichment

Updated: 2026-07-09T13:28:52.945Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-08T20:22:16Z

Links: CVE-2026-58494 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:15:12Z

Weaknesses