PatchSiren cyber security CVE debrief
CVE-2026-47261 bytecodealliance CVE debrief
CVE-2026-47261 is a high-severity vulnerability in Wasmtime, a runtime for WebAssembly. The issue arises when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE. This access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause lies in the handling of OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs, where the open_mode was not correctly updated with OpenMode::WRITE, leading to incorrect access control checks. This bug affects wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ. The Wasmtime project's wasmtime-cli is not affected as it always sets FilePerms::all() for all preopens. The vulnerability has been fixed in versions 24.0.9, 36.0.10, and 44.0.2.
- Vendor
- bytecodealliance
- Product
- wasmtime
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-17
Who should care
Users of Wasmtime versions prior to 24.0.9, 36.0.10, and 44.0.2 who use wasmtime-wasi embeddings with specific permission settings.
Technical summary
The vulnerability allows for an access control bypass in Wasmtime's filesystem preopen feature. Specifically, when DirPerms::all() and FilePerms::READ are set without FilePerms::WRITE, an attacker can bypass access controls by using the wasip2 descriptor.open-at or wasip1 path_open interfaces with the OpenFlags::TRUNCATE oflag. This is due to a missing assignment of OpenMode::WRITE in the open_mode during the handling of OpenFlags::TRUNCATE.
Defensive priority
High
Recommended defensive actions
- Update Wasmtime to version 24.0.9, 36.0.10, or 44.0.2, or later.
- Review and adjust wasmtime-wasi embeddings to ensure proper permission settings.
Evidence notes
The vulnerability has been officially documented in the CVE record and NVD detail pages. Fixes are available in specified Wasmtime versions.
Official resources
CVE-2026-47261 was published and modified on 2026-06-15T21:17:11.153Z.