CVE-2026-47261 — WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph For more information see the GitHub-hosted security advisory.

How to fix CVE-2026-47261

To remediate CVE-2026-47261, upgrade the affected package to a fixed version below.

crates.io/wasmtime-wasi—upgrade to 44.0.2 or later
crates.io/wasmtime-wasi—upgrade to 24.0.9 or later

Is CVE-2026-47261 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47261.

Affected packages (2)

>= 37.0.0, < 44.0.2
>= 0.0.0-0, < 24.0.9, >= 25.0.0, < 36.0.10, >= 37.0.0, < 44.0.2, >= 45.0.0, < 45.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (8)

ADVISORYgithub.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph
ADVISORYrustsec.org/advisories/RUSTSEC-2026-0149.html
PATCHcrates.io/crates/wasmtime-wasi
PATCHgithub.com/bytecodealliance/wasmtime