CVE-2026-47261
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs (Dir::open_at, lines 967–969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project's wasmtime-cli's use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-47261
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wasmtime wasmtime to 24.0.9 (exc)
wasmtime wasmtime to 36.0.10 (exc)
wasmtime wasmtime to 44.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Wasmtime, a runtime for WebAssembly, in versions prior to 24.0.9, 36.0.10, and 44.0.2. When a filesystem preopen is configured with DirPerms::all() and FilePerms::READ but without FilePerms::WRITE, the access control can be bypassed. This happens because the code handling the OpenFlags::TRUNCATE flag did not correctly set the write permission flag during the access control check, allowing a file to be opened with truncation even though write permission was not granted.

The root cause is a missing assignment in the code that should have set the open_mode to include write access when the TRUNCATE flag is used. This flaw allows an attacker to bypass the intended read-only restriction and open a file with truncation, effectively modifying it without proper permission.

This issue only affects wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ. The official wasmtime-cli is not affected because it always grants full file permissions for preopens.

Impact Analysis

This vulnerability can allow unauthorized modification of files that are intended to be read-only. An attacker could exploit this flaw to truncate and potentially alter files without having explicit write permissions.

Such unauthorized file modifications can lead to data corruption, loss of data integrity, or disruption of application behavior that relies on those files.

Since the vulnerability has a CVSS base score of 7.5 with high impact on integrity, it represents a significant risk in environments where Wasmtime is used with affected versions and configurations.

Mitigation Strategies

To mitigate this vulnerability, upgrade Wasmtime to version 24.0.9, 36.0.10, or 44.0.2 or later, where the issue has been fixed.

Ensure that any wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are updated, as these are the affected configurations.

Note that wasmtime-cli's use of wasmtime-wasi is not affected because it always sets FilePerms::all() for all preopens.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47261. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart