PatchSiren cyber security CVE debrief
CVE-2026-58494 bytecodealliance CVE debrief
A vulnerability in Wasmtime, a runtime for WebAssembly, allows a WASI guest with read-only source file capability to overwrite host files. This issue arises from wasmtime-wasi's hard-link creation and renaming checks not properly verifying FilePerms on source and destination preopens. The vulnerability is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1. Defenders of systems using Wasmtime should prioritize patching to prevent potential file system manipulation.
- Vendor
- bytecodealliance
- Product
- wasmtime
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Defenders of systems using Wasmtime should prioritize patching to prevent potential file system manipulation. This includes operators managing Wasmtime deployments, platform administrators, vulnerability management teams, and security teams responsible for monitoring and incident response.
Technical summary
The vulnerability, CVE-2026-58494, arises from wasmtime-wasi's hard-link creation and renaming checks not properly verifying FilePerms on source and destination preopens. This oversight enables a WASI guest to bypass intended file system restrictions, potentially leading to unauthorized file overwrites on the host system. The issue is addressed in Wasmtime versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1 through improved permission checks.
Defensive priority
Medium priority due to the potential for file system manipulation and the availability of patches.
Recommended defensive actions
- Apply patches (versions 24.0.11, 36.0.12, 45.0.3, 46.0.1) to Wasmtime installations.
- Review and restrict WASI guest capabilities, especially those involving file system interactions.
- Monitor for unusual file system activities that could indicate exploitation attempts.
- Conduct a thorough review of current Wasmtime deployments to identify potential exposure.
- Inventory assets that may be impacted and prioritize patching based on criticality.
- Implement compensating controls such as enhanced monitoring and access restrictions for high-risk systems.
Evidence notes
The CVE record and NVD detail provide official information on the vulnerability. GitHub commits and release tags offer technical details on the fixes. Evidence is limited to public sources and may not cover all affected systems or potential impacts. Defenders should verify system exposure and review vendor guidance for specific patching and mitigation steps.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:54.000Z and has not been modified since then.