SB20260423100 - Multiple vulnerabilities in Wasmtime
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-27572)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper handling of excessive capacity in wasi:http/types.fields in the wasmtime-wasi-http crate when adding too many header fields to a set of headers. A remote user can add excessive fields to a wasi:http/types.fields instance to cause a denial of service.
Panicking in the WASI implementation can affect embedders.
2) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-27195)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state management in wasmtime::component::[Typed]Func::call_async when dropping a returned future before it resolves and then invoking the same component instance again. A remote user can drop a previously polled call_async future and trigger another call on the same component instance to cause a denial of service.
Only instances using the component-model-async feature are affected, and exploitation requires the future to have been polled and yielded before being dropped.
3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-27204)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in WASI host interfaces when processing guest-controlled resource allocation requests. A remote user can request excessive resource allocations to cause a denial of service.
Exploitation may result in host memory exhaustion, allocation failure, process aborts, panics, or severe performance degradation. WASIp1, WASIp2, and host APIs modeled with the Component Model or WIT that operate on string or list types are affected.
Remediation
Install update from vendor's website.
References
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h
- https://github.com/advisories/GHSA-243v-98vx-264h
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94
- https://github.com/advisories/GHSA-xjhv-v822-pf94
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w
- https://github.com/advisories/GHSA-852m-cvvp-9p4w