Improper Access Control Affecting rust-wasmtime package, versions <36.0.11+dfsg-1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Access Control vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-DEBIANUNSTABLE-RUSTWASMTIME-17345972
- published16 Jun 2026
- disclosed15 Jun 2026
Introduced: 15 Jun 2026
NewCVE-2026-47261 (opens in a new tab)How to fix?
Upgrade Debian:unstable rust-wasmtime to version 36.0.11+dfsg-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream rust-wasmtime package and not the rust-wasmtime package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs (Dir::open_at, lines 967–969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project's wasmtime-cli's use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2.
References
- https://security-tracker.debian.org/tracker/CVE-2026-47261
- https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.9
- https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.10
- https://github.com/bytecodealliance/wasmtime/releases/tag/v44.0.2
- https://github.com/bytecodealliance/wasmtime/releases/tag/v45.0.0
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph