UBUNTU-CVE-2026-47261

Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36...

Linux Distros Unpatched Vulnerability : CVE-2026-47261

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all and FilePerms::READ...

DEBIAN-CVE-2026-47261

Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 pathopen interfaces by...

CVE-2026-47261

Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 pathopen interfaces by...

CVE-2026-47261 Wasmtime: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction

Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 pathopen interfaces by...

CVE-2026-47261

CVE-2026-47261 : Wasmtime-wasi WASI path_open(TRUNCATE) bypasses FilePerms::WRITE host restriction. Root cause: when OpenFlags::TRUNCATE is used, open_mode was not OR-ed with WRITE, allowing a READ-only preopen with DirPerms::all() to bypass access checks via wasip1 path_open or wasip2 descriptor...

CVE-2026-47261

Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 pathopen interfaces by...

Leak in WASIp1 `fd_renumber` implementation

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-3p27-qvp9-27qf For more information see the GitHub-hosted security advisory...

RUSTSEC-2026-0182 Leak in WASIp1 `fd_renumber` implementation

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-3p27-qvp9-27qf For more information see the GitHub-hosted security advisory...

FreeBSD : tree-sitter-cli -- Always-Incorrect Control Flow Implementation in wasmtime crate (36ec75da-633d-11f1-9dbc-28d2443e6cfa)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 36ec75da-633d-11f1-9dbc-28d2443e6cfa advisory. https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw reports: Wasmtime ...

auto-wasi (=0.1.0), deterministic-wasi-ctx (>=0.1.1 <=0.1.14) +53 more potentially affected by CVE-2026-47261 via wasmtime-wasi (>=0.10.0 <=1.0.2)

wasmtime-wasi CARGO version =0.10.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.5.0, =0.0.1-alpha, =0.1.0, =0.1.0, =0.1.0, =0.9.0, =0.9.0, =0.9.0, =0.7.0, =0.9.2 and more Source cves: CVE-2026-47261 Source advisory: OSV:GHSA-2R75-CXRJ-CMPH...

GHSA-2R75-CXRJ-CMPH wasmtime-wasi: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction

Summary In wasmtime-wasi, when a filesystem preopen is given DirPerms::all and FilePerms::READ without FilePerms::WRITE, this wasmtime-wasi enforced access control mechanism can be bypassed by using the wasip2 descriptor.open-at or wasip1 pathopen interfaces by opening a file with...

wasmtime-wasi: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction

Summary In wasmtime-wasi, when a filesystem preopen is given DirPerms::all and FilePerms::READ without FilePerms::WRITE, this wasmtime-wasi enforced access control mechanism can be bypassed by using the wasip2 descriptor.open-at or wasip1 pathopen interfaces by opening a file with...

crypt_guard (=0.1.4), env_encryption_tool (=0.9.17) +7 more potentially affected by unknown CVE via pqcrypto (>=0.11.1 <=0.18.1)

pqcrypto CARGO version =0.11.1, =0.1.0, =0.1.0, =0.1.2, =0.1.0, =0.23.0, =0.23.0, =12.0.2 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0164...

SUSE-SU-2026:22002-1 Security update for tree-sitter

This update for tree-sitter fixes the following issue - CVE-2026-44216: wasmtime: allocation of a table exceeding the size of the host's address space leads to panic bsc1265300...

OPENSUSE-SU-2026:20863-1 Security update for tree-sitter

This update for tree-sitter fixes the following issue - CVE-2026-44216: wasmtime: allocation of a table exceeding the size of the host's address space leads to panic bsc1265300...

Malicious code in pgrayy-wasmtime (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7c9cfd90d6de2acd86d50019dfa4a2b140ac9246fdcbae8d7aaa3d17bd4af6e The distribution is published as pgrayy-wasmtime but its toplevel.txt declares the top-level import name as wasmtime, and the entire Python source tr...

MAL-2026-4762 Malicious code in pgrayy-wasmtime (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7c9cfd90d6de2acd86d50019dfa4a2b140ac9246fdcbae8d7aaa3d17bd4af6e The distribution is published as pgrayy-wasmtime but its toplevel.txt declares the top-level import name as wasmtime, and the entire Python source tr...

auto-wasi (=0.1.0), deterministic-wasi-ctx (>=0.1.1 <=0.1.14) +53 more potentially affected by CVE-2026-47261 via wasmtime-wasi (>=0.10.0 <=1.0.2)

wasmtime-wasi CARGO version =0.10.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.5.0, =0.0.1-alpha, =0.1.0, =0.1.0, =0.1.0, =0.9.0, =0.9.0, =0.9.0, =0.7.0, =0.9.2 and more Source cves: CVE-2026-47261 Source advisory: OSV:RUSTSEC-2026-0149...

WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph For more information see the GitHub-hosted security advisory...