Wasmtime is a runtime for WebAssembly. All versions prior to 24.0.10; versions 25.0.0 through those before 36.0.11; versions 37.0.0 through those before 44.0.3; and versions 45.0.0 and 45.0.1 contain a native implementation of WASIp1 which suffers from a leak in the fd_renumber function where the file descriptor being renumbered to is not properly closed. Wasmtime's implementation erroneously only updated the table of descriptors for WASIp1 and didn't update the underlying table of descriptors used by the host. This behavior means that while fd_renumber works correctly from a guest's perspective it ends up leaking resources in the host that aren't cleaned up until the corresponding Store is destroyed. In a loop, guests can use fd_renumber to cause hosts to exhaust both resources and file descriptors. This bug only affects the native implementation of WASIp1, meaning that only runtimes which load core wasm modules and expose fd_renumber are affected. Runtimes are additionally only affected if they expose the ability to acquire a file descriptor, such as opening a file. For runtimes that deny access to files they are unaffected. This issue has been fixed in versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2.
CVE-2026-54786
This medium-severity CVE scores 5.0 under NVD CVSS v3. EPSS exploit probability: 0.2%, top 88% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 5.0
- EG Score
- 5.0(medium)
- EPSS
- 12.1%
- KEV
- Not listed
Published
July 1, 2026
Last Modified
July 2, 2026
Advisory Details (1)
Auto-updated Jul 7, 2026Leak in WASIp1 `fd_renumber` implementation · Advisory · bytecodealliance/wasmtime · GitHub
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-3p27-qvp9-27qfWeakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 19× in last 7d / 27× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-11 06:49 UTCEG score recompute
- 2026-07-10 06:11 UTCEG score recompute
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 05:32 UTCEG score recompute
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-08 04:53 UTCEG score recompute
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 04:08 UTCEG score recompute
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 03:28 UTCEG score recompute
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:48 UTCEG score recompute▲ 2.70
- 2026-07-05 02:31 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-02 20:05 UTCNVD updateCVSS v3 → 5 · severity → MEDIUM
Show 2 moreShow fewer
- 2026-07-01 23:09 UTCEG score recompute
- 2026-07-01 23:08 UTCNVD updatefirst tracked
Related CVEs(same CWE)
Same CWE
10 shownCWE-400 · CWE-772
- CVE-2011-3192NVD 0.0EG 9.0EPSS 100%NONE
- CVE-2004-1464NVD 5.9EG 9.0 KEVEPSS 91%MEDIUM
- CVE-2003-0132NVD 0.0EG 9.0EPSS 100%NONE
- CVE-2007-20001EG 7.5HIGH
- CVE-2002-20001EG 7.5EPSS 97%HIGH
- CVE-2012-0785EG 7.5HIGH
- CVE-2012-5362EG 7.5EPSS 96%HIGH
- CVE-2011-3336EG 7.5EPSS 93%HIGH
- CVE-2011-4661EG 7.5HIGH
- CVE-2008-7314EG 7.5HIGH
Frequently asked(5)
What is CVE-2026-54786?
When was CVE-2026-54786 disclosed?
Is CVE-2026-54786 actively exploited?
What is the CVSS score of CVE-2026-54786?
How do I remediate CVE-2026-54786?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-54786
Is Your Infrastructure Affected by CVE-2026-54786?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.