PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58494 bytecodealliance CVE debrief

A vulnerability in Wasmtime, a runtime for WebAssembly, allows a WASI guest with read-only source file capability to overwrite host files. This issue arises from wasmtime-wasi's hard-link creation and renaming checks not properly verifying FilePerms on source and destination preopens. The vulnerability is fixed in versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1. Defenders of systems using Wasmtime should prioritize patching to prevent potential file system manipulation.

Vendor
bytecodealliance
Product
wasmtime
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Defenders of systems using Wasmtime should prioritize patching to prevent potential file system manipulation. This includes operators managing Wasmtime deployments, platform administrators, vulnerability management teams, and security teams responsible for monitoring and incident response.

Technical summary

The vulnerability, CVE-2026-58494, arises from wasmtime-wasi's hard-link creation and renaming checks not properly verifying FilePerms on source and destination preopens. This oversight enables a WASI guest to bypass intended file system restrictions, potentially leading to unauthorized file overwrites on the host system. The issue is addressed in Wasmtime versions 24.0.11, 36.0.12, 45.0.3, and 46.0.1 through improved permission checks.

Defensive priority

Medium priority due to the potential for file system manipulation and the availability of patches.

Recommended defensive actions

  • Apply patches (versions 24.0.11, 36.0.12, 45.0.3, 46.0.1) to Wasmtime installations.
  • Review and restrict WASI guest capabilities, especially those involving file system interactions.
  • Monitor for unusual file system activities that could indicate exploitation attempts.
  • Conduct a thorough review of current Wasmtime deployments to identify potential exposure.
  • Inventory assets that may be impacted and prioritize patching based on criticality.
  • Implement compensating controls such as enhanced monitoring and access restrictions for high-risk systems.

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. GitHub commits and release tags offer technical details on the fixes. Evidence is limited to public sources and may not cover all affected systems or potential impacts. Defenders should verify system exposure and review vendor guidance for specific patching and mitigation steps.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:54.000Z and has not been modified since then.