CVE-2026-58494
Received Received - Intake

Incorrect File Permissions in Wasmtime WASI Allow Host File Overwrite

Vulnerability report for CVE-2026-58494, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
wasmtime wasmtime to 24.0.11 (exc)
wasmtime wasmtime to 36.0.12 (exc)
wasmtime wasmtime to 45.0.3 (exc)
wasmtime wasmtime to 46.0.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-281 The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The vulnerability can lead to unauthorized modification of host files by a WASI guest that should only have read-only access. This means an attacker or malicious code running in the WASI environment could overwrite files on the host system that are intended to be protected, potentially leading to data corruption, loss of integrity, or other security issues.

Mitigation Strategies

To mitigate this vulnerability, update Wasmtime to one of the fixed versions: 24.0.11, 36.0.12, 45.0.3, or 46.0.1.

Executive Summary

This vulnerability exists in Wasmtime, a runtime for WebAssembly, specifically in the wasmtime-wasi component before certain fixed versions. The issue involves the handling of hard-link creation and renaming operations where directory permissions are checked but the file permissions (FilePerms) on the source and destination preopens are not properly matched. This flaw allows a WASI guest with only read-only access to a source file to overwrite host files that are exposed as read-only through the wasip1, wasip2, or wasip3 filesystem interfaces.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58494. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart