Source: rust-wasmtime
Version: 36.0.9+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for rust-wasmtime.

CVE-2026-47261[0]:
| Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9,
| 36.0.10, and 44.0.2, when a filesystem preopen is given
| DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this
| access control mechanism can be bypassed via the wasip2
| descriptor.open-at or wasip1 path_open interfaces by opening a file
| with only the OpenFlags::TRUNCATE oflag. The root cause is that the
| clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs
| (Dir::open_at, lines 967–969) did not set open_mode |=
| OpenMode::WRITE;, which is later used for the access control check
| against FilePerms to determine whether opening the file is
| permitted; the single-line fix adds that missing assignment, after
| which the affected calls correctly fail with error-code.not-
| permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings
| that combine DirPerms::MUTATE with FilePerms::READ are affected by
| this bug. In particular, the Wasmtime project's wasmtime-cli's use
| of wasmtime-wasi is not affected, because it always sets
| FilePerms::all() for all preopens. This issue has been fixed in
| versions 24.0.9, 36.0.10 and44.0.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-47261
    https://www.cve.org/CVERecord?id=CVE-2026-47261
[1] 
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to