Source: rust-wasmtime Version: 36.0.9+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rust-wasmtime. CVE-2026-47261[0]: | Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, | 36.0.10, and 44.0.2, when a filesystem preopen is given | DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this | access control mechanism can be bypassed via the wasip2 | descriptor.open-at or wasip1 path_open interfaces by opening a file | with only the OpenFlags::TRUNCATE oflag. The root cause is that the | clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs | (Dir::open_at, lines 967–969) did not set open_mode |= | OpenMode::WRITE;, which is later used for the access control check | against FilePerms to determine whether opening the file is | permitted; the single-line fix adds that missing assignment, after | which the affected calls correctly fail with error-code.not- | permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings | that combine DirPerms::MUTATE with FilePerms::READ are affected by | this bug. In particular, the Wasmtime project's wasmtime-cli's use | of wasmtime-wasi is not affected, because it always sets | FilePerms::all() for all preopens. This issue has been fixed in | versions 24.0.9, 36.0.10 and44.0.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-47261 https://www.cve.org/CVERecord?id=CVE-2026-47261 [1] https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph Please adjust the affected versions in the BTS as needed. Regards, Salvatore

