Bug 2496780 - CVE-2026-54786 tree-sitter: Wasmtime: Leak in WASIp1 `fd_renumber` implementation [fedora-all]
Summary: CVE-2026-54786 tree-sitter: Wasmtime: Leak in WASIp1 `fd_renumber` implementa...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: tree-sitter
Version: rawhide
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact:
URL:
Whiteboard: {"flaws": ["982e8d05-16fe-42c6-ae66-7...
Depends On:
Blocks: CVE-2026-54786
TreeView+ depends on / blocked
 
Reported: 2026-07-03 08:21 UTC by Ganesh
Modified: 2026-07-03 08:21 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ganesh 2026-07-03 08:21:00 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Wasmtime is a runtime for WebAssembly. All versions prior to 24.0.10; versions 25.0.0 through those before  36.0.11; versions 37.0.0 through those before 44.0.3; and versions 45.0.0 and 45.0.1 contain a native implementation of WASIp1 which suffers from a leak in the fd_renumber function where the file descriptor being renumbered to is not properly closed. Wasmtime's implementation erroneously only updated the table of descriptors for WASIp1 and didn't update the underlying table of descriptors used by the host. This behavior means that while fd_renumber works correctly from a guest's perspective it ends up leaking resources in the host that aren't cleaned up until the corresponding Store is destroyed. In a loop, guests can use fd_renumber to cause hosts to exhaust both resources and file descriptors. This bug only affects the native implementation of WASIp1, meaning that only runtimes which load core wasm modules and expose fd_renumber are affected. Runtimes are additionally only affected if they expose the ability to acquire a file descriptor, such as opening a file. For runtimes that deny access to files they are unaffected. This issue has been fixed in versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2.


Note You need to log in before you can comment on or make changes to this bug.