Bug 2498250 (CVE-2026-58494) - CVE-2026-58494 wasmtime: Wasmtime: Overwrite host files via insufficient permission checks in wasmtime-wasi
Summary: CVE-2026-58494 wasmtime: Wasmtime: Overwrite host files via insufficient perm...
Keywords:
Status: NEW
Alias: CVE-2026-58494
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2498431 2498432
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-08 21:01 UTC by OSIDB Bzimport
Modified: 2026-07-09 08:56 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-08 21:01:56 UTC
Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.


Note You need to log in before you can comment on or make changes to this bug.