SUSE CVE-2025-53901

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host embedder. The specific bug is triggered by calling pathopen after calling...

Wasmtime CLI is vulnerable to host panic through its fd_renumber function

Summary A bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host embedder. The specific bug is triggered by calling pathopen after calling fdrenumber with either: - two equal argument values - second argument being equal...

CVE-2025-53901

Wasmtime WASI (wasmtime-wasi) contains a bug in the WASIp1 import implementation. Prior to 24.0.4, 33.0.2, and 34.0.2, calling fd_renumber followed by path_open can cause a WebAssembly guest to panic the host (embedder). The panic results from a corrupt state in fd_renumber when a second open fil...

RUSTSEC-2025-0046 Host panic with `fd_renumber` WASIp1 function

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc. For more information see the GitHub-hosted security advisory...

libwasmtime -- host panic with fd_renumber WASIp1 function

WasmTime development team reports: A bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host embedder...