Skip to content

Forged Wasmtime precompiled OCI layer bypasses runwasi WASI sandbox

Critical
cpuguy83 published GHSA-cc25-vq59-rcjx Jun 17, 2026

Package

containerd-shim-wasmtime (runwasi)

Affected versions

<= v0.6.0

Patched versions

v0.6.1

Description

Summary

runwasi's Wasmtime shim may deserialize attacker-supplied precompiled artifacts from OCI image layers, allowing code execution outside the WASI sandbox but within the workload container boundary.

Impact

Affected versions of runwasi may accept a Wasmtime precompiled artifact supplied directly as an OCI image layer when using the precompile-cache path. Precompiled artifacts are native-code cache entries and must only be loaded from a trusted local cache, not from untrusted image content.
An attacker who can cause a victim to run a crafted OCI image with containerd-shim-wasmtime-v1 can cause the shim to deserialize and execute attacker-controlled native code instead of compiling and validating WebAssembly. This bypasses the WASI/WebAssembly sandbox.

The executed code runs in the shim's "zygote" process inside the workload container.
This can allow escape from the wasm sandbox to the container boundary, including access available to that container such as its filesystem mounts, environment, credentials, pod/container networking and the native Linux syscall surface allowed to that container.

This does not by itself bypass container isolation or provide direct host-level code execution.
The issue also affects downstream shims built with runwasi's containerd-shim-wasm precompile-cache API if they implement Compiler and trust executable precompiled artifacts from OCI image layers.

Patches

Patched versions reject precompiled artifacts supplied directly by OCI image layers. Precompiled artifacts are only accepted when they originate from runwasi's local containerd precompile cache.
Users should upgrade to a patched release once available.

Workarounds

Do not run untrusted OCI images with containerd-shim-wasmtime-v1 on affected versions.

Severity

Critical

CVE ID

CVE-2026-47218

Weaknesses

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. Learn more on MITRE.

Credits