Vulnerability Details CVE-2026-47261
Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs (Dir::open_at, lines 967–969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project's wasmtime-cli's use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 40.7%
CVSS Severity
CVSS v3 Score 7.5
References
- https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.9
- https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.10
- https://github.com/bytecodealliance/wasmtime/releases/tag/v44.0.2
- https://github.com/bytecodealliance/wasmtime/releases/tag/v45.0.0
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph
Products affected by CVE-2026-47261
-
cpe:2.3:a:bytecodealliance:wasmtime:0.10.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.11.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.12.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.15.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.16.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.17.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.18.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.19.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.2.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.20.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.21.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.22.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.22.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.23.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.24.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.25.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.26.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.26.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.27.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.28.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.29.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.3.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.30.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.31.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.32.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.32.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.33.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.33.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.34.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.34.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.34.2
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.2
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.3
-
cpe:2.3:a:bytecodealliance:wasmtime:0.36.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.37.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.2
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.3
-
cpe:2.3:a:bytecodealliance:wasmtime:0.39.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.39.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.4.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.40.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.40.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.6.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.8.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.9.0
-
cpe:2.3:a:bytecodealliance:wasmtime:1.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:1.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:1.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:10.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:10.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:10.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:11.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:11.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:11.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:12.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:12.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:12.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:13.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:13.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:14.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:14.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:14.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:14.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:14.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:15.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:15.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:16.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:17.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:17.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:17.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:17.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:18.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:18.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:18.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:18.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:18.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:19.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:19.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:19.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:2.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:2.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:2.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:20.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:20.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:20.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:21.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:21.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:21.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:22.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:22.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:23.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:23.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:23.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:23.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.5
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.6
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.7
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.8
-
cpe:2.3:a:bytecodealliance:wasmtime:25.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:25.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:25.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:25.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:26.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:26.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:27.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:28.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:28.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:29.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:29.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:3.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:3.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:30.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:30.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:30.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:31.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:32.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:32.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:33.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:33.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:33.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:34.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:34.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:34.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:35.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.5
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.6
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.7
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.8
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.9
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:39.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:39.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:39.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:4.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:4.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:42.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:42.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:42.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:43.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:43.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:43.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:44.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:44.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:5.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:5.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:6.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:6.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:6.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:7.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:7.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:8.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:8.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:9.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:9.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:9.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:9.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:9.0.4