Allocation of Resources Without Limits or Throttling in Wasmtime - CVE-2026-27204
Published: April 23, 2026
Vulnerability identifier: #VU127045
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-27204
CWE-ID: CWE-770
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Bytecode Alliance
Affected software:
Wasmtime
Wasmtime
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in WASI host interfaces when processing guest-controlled resource allocation requests. A remote user can request excessive resource allocations to cause a denial of service.
Exploitation may result in host memory exhaustion, allocation failure, process aborts, panics, or severe performance degradation. WASIp1, WASIp2, and host APIs modeled with the Component Model or WIT that operate on string or list types are affected.
How to mitigate CVE-2026-27204
Install security update from vendor's website.