CVE-2026-54786
Received Received - Intake

File Descriptor Leak in Wasmtime WASIp1

Vulnerability report for CVE-2026-54786, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Wasmtime is a runtime for WebAssembly. All versions prior to 24.0.10; versions 25.0.0 through those before 36.0.11; versions 37.0.0 through those before 44.0.3; and versions 45.0.0 and 45.0.1 contain a native implementation of WASIp1 which suffers from a leak in the fd_renumber function where the file descriptor being renumbered to is not properly closed. Wasmtime's implementation erroneously only updated the table of descriptors for WASIp1 and didn't update the underlying table of descriptors used by the host. This behavior means that while fd_renumber works correctly from a guest's perspective it ends up leaking resources in the host that aren't cleaned up until the corresponding Store is destroyed. In a loop, guests can use fd_renumber to cause hosts to exhaust both resources and file descriptors. This bug only affects the native implementation of WASIp1, meaning that only runtimes which load core wasm modules and expose fd_renumber are affected. Runtimes are additionally only affected if they expose the ability to acquire a file descriptor, such as opening a file. For runtimes that deny access to files they are unaffected. This issue has been fixed in versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
wasmtime wasmtime to 24.0.10 (exc)
wasmtime wasmtime From 25.0.0 (inc) to 36.0.11 (exc)
wasmtime wasmtime From 37.0.0 (inc) to 44.0.3 (exc)
wasmtime wasmtime From 45.0.0 (inc) to 45.0.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Wasmtime, a runtime for WebAssembly, specifically in its native implementation of WASIp1. The issue is in the fd_renumber function, where the file descriptor being renumbered is not properly closed on the host side. While the guest's descriptor table is updated correctly, the host's underlying descriptor table is not, causing resource leaks. This means that resources and file descriptors on the host are not cleaned up until the corresponding Store is destroyed.

If a guest repeatedly uses fd_renumber in a loop, it can cause the host to exhaust its available resources and file descriptors. However, this vulnerability only affects runtimes that load core wasm modules, expose fd_renumber, and allow acquiring file descriptors (e.g., opening files). Runtimes that deny file access are not affected.

The issue has been fixed in Wasmtime versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2.

Impact Analysis

This vulnerability can lead to resource exhaustion on the host system running Wasmtime. Specifically, if exploited, it can cause the host to run out of file descriptors and other resources due to leaked descriptors that are not properly closed.

Such resource exhaustion can degrade system performance, cause failures in opening new files or network connections, and potentially lead to denial of service conditions on the host.

Mitigation Strategies

To mitigate this vulnerability, update Wasmtime to a fixed version. The issue has been resolved in versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2.

Additionally, if your runtime denies access to files or does not expose the ability to acquire file descriptors, it is not affected by this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54786. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart