CVE-2026-58494
ADVISORY - debianSummary
Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite host files exposed as FilePerms::READ through wasip1, wasip2, or wasip3 filesystem interfaces. This issue is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1.
- rust-wasmtime 36.0.12+dfsg-1 https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4ch3-9j33-3pmj https://github.com/bytecodealliance/wasmtime/commit/7db94cdcf0c79cb3dfde884b534b653f2dd83367 (v36.0.12) https://github.com/bytecodealliance/wasmtime/commit/8a250aac0962ca1364b5f16525720e9d0b39edcd (v24.0.11)
EPSS Score: 0.00119 (0.021)
Common Weakness Enumeration (CWE)
ADVISORY - redhat
Improper Handling of Insufficient Permissions or Privileges
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in