Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54786

CVE-2026-54786: Wasmtime WASIp1 DoS Vulnerability

CVE-2026-54786 is a denial of service flaw in Wasmtime's WASIp1 fd_renumber function that causes resource leaks on the host. Attackers can exhaust file descriptors and system resources in a loop. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-54786 Overview

CVE-2026-54786 is a resource exhaustion vulnerability in Wasmtime, a runtime for WebAssembly maintained by the Bytecode Alliance. The flaw exists in the native implementation of the WebAssembly System Interface preview 1 (WASIp1). The fd_renumber function fails to close the underlying host file descriptor when a guest renumbers descriptors. Only the WASIp1 descriptor table is updated, leaving host resources allocated until the associated Store is destroyed. A guest can call fd_renumber in a loop to exhaust host file descriptors and memory. The issue is tracked as [CWE-400] Uncontrolled Resource Consumption.

Critical Impact

A guest WebAssembly module can trigger host-side denial of service through file descriptor and resource exhaustion when the runtime exposes fd_renumber and permits file access.

Affected Products

  • Wasmtime versions prior to 24.0.10
  • Wasmtime versions 25.0.0 through releases before 36.0.11, and 37.0.0 through releases before 44.0.3
  • Wasmtime versions 45.0.0 and 45.0.1

Discovery Timeline

  • 2026-07-01 - CVE-2026-54786 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-54786

Vulnerability Analysis

Wasmtime provides a native implementation of WASIp1 that maintains its own descriptor table for guest modules. The fd_renumber WASI function reassigns one file descriptor number to another from the guest's perspective. In affected versions, the implementation updates only the WASIp1 descriptor table and does not close the corresponding descriptor in the host's underlying table. Each renumber operation therefore leaks a host descriptor and any resources tied to it. The leaked handles persist until the enclosing Wasmtime Store is dropped. A hostile or buggy guest that iterates fd_renumber calls can drive the host process into file descriptor exhaustion and memory pressure.

Root Cause

The root cause is incomplete cleanup logic inside the native WASIp1 fd_renumber handler. The function correctly rewires the guest-visible descriptor mapping but omits the host-side close on the descriptor being replaced. This asymmetry between the guest table and the host table produces the leak.

Attack Vector

Exploitation requires a runtime that loads core WebAssembly modules, exposes the native WASIp1 fd_renumber implementation, and allows the guest to acquire file descriptors, for example by opening a file. Runtimes that deny file access are not affected. A guest module opens a descriptor and repeatedly invokes fd_renumber to force the host to allocate new descriptors without releasing prior ones. Over time the host process reaches its descriptor and memory limits, degrading or halting service.

No verified proof-of-concept code has been published. See the GitHub Security Advisory GHSA-3p27-qvp9-27qf for technical details.

Detection Methods for CVE-2026-54786

Indicators of Compromise

  • Wasmtime host processes accumulating open file descriptors that are not released during normal guest execution.
  • Repeated invocation of the WASIp1 fd_renumber function by a single guest module within a short interval.
  • Host process failures with EMFILE or ENFILE errors originating from Wasmtime-backed services.

Detection Strategies

  • Monitor per-process file descriptor counts for Wasmtime host binaries using /proc/<pid>/fd on Linux or handle counts on Windows.
  • Instrument WASI host calls to log frequency of fd_renumber invocations per guest Store and alert on abnormal rates.
  • Correlate memory growth in Wasmtime host processes with active guest sessions to identify leaking workloads.

Monitoring Recommendations

  • Set resource limits (RLIMIT_NOFILE) on Wasmtime host processes and alert when utilization crosses defined thresholds.
  • Track Wasmtime version strings across build pipelines and production hosts to confirm patched releases are deployed.
  • Log Store lifecycle events so that unusually long-lived stores holding many descriptors are surfaced for review.

How to Mitigate CVE-2026-54786

Immediate Actions Required

  • Upgrade Wasmtime to a fixed release: 24.0.10, 36.0.11, 44.0.3, or 45.0.2.
  • Inventory all services that embed Wasmtime and validate their runtime versions before redeployment.
  • Restrict which guests can open files or acquire file descriptors when running untrusted WebAssembly modules.

Patch Information

The Bytecode Alliance fixed the issue in Wasmtime versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2. The fix ensures that the host descriptor being replaced by fd_renumber is properly closed alongside the WASIp1 table update. Details are available in the GitHub Security Advisory GHSA-3p27-qvp9-27qf.

Workarounds

  • Deny guest access to files and any API that returns a file descriptor, which removes the precondition for the leak.
  • Recycle Wasmtime Store instances aggressively so leaked descriptors are reclaimed before exhaustion occurs.
  • Enforce strict RLIMIT_NOFILE and memory limits on Wasmtime host processes to contain the blast radius until patching completes.
bash
# Configuration example
# Cargo.toml — pin to a patched Wasmtime release
[dependencies]
wasmtime = "45.0.2"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.