{“lastseen”:””,”description”:”Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates\/wasi\/src\/filesystem.rs (Dir::open_at, lines 967\u2013969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project’s wasmtime-cli’s use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2.”,”published”:”2026-06-15T19:47:40.366Z”,”modified”:”2026-06-15T19:47:40.366Z”,”type”:”cve”,”title”:”Wasmtime: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/bytecodealliance\/wasmtime\/security\/advisories\/GHSA-2r75-cxrj-cmph\\nhttps:\/\/github.com\/bytecodealliance\/wasmtime\/releases\/tag\/v24.0.9\\nhttps:\/\/github.com\/bytecodealliance\/wasmtime\/releases\/tag\/v36.0.10\\nhttps:\/\/github.com\/bytecodealliance\/wasmtime\/releases\/tag\/v44.0.2\\nhttps:\/\/github.com\/bytecodealliance\/wasmtime\/releases\/tag\/v45.0.0″,”id”:”CVE-2026-47261″,”bulletinFamily”:””,”cwe”:[“CWE-284″],”cvelist”:null,”sourceData”:”bytecodealliance wasmtime \\u003e= 37.0.0, \\u003c 44.0.2\\nbytecodealliance wasmtime \\u003e= 25.0.0, \\u003c 36.0.10\\nbytecodealliance wasmtime \\u003c 24.0.9″,”sourceHref”:””,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”wasmtime”,”version”:”\\u003e= 37.0.0, \\u003c 44.0.2″,”vendor”:”bytecodealliance”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,16,12,15,13,7,11,5],"class_list":["post-62884","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n