CVE-2026-27572

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.rs/http/1.4.0/http/header/#limitations	Not Applicable
https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a	Patch
https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6	Product Release Notes
https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6	Product Release Notes
https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4	Product Release Notes
https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4	Product Release Notes
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:bytecodealliance:wasmtime::::::rust::*
	cpe:2.3:a:bytecodealliance:wasmtime::::::rust::*
	cpe:2.3:a:bytecodealliance:wasmtime::::::rust::*
	cpe:2.3:a:bytecodealliance:wasmtime::::::rust::*

History

No history.

Information

Published : 2026-02-24 22:16

Updated : 2026-02-25 15:36

NVD link : CVE-2026-27572

Mitre link : CVE-2026-27572

CVE.ORG link : CVE-2026-27572

JSON object : View

Products Affected

bytecodealliance

wasmtime

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-27572", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-24T22:16:32.687", "references": [{"url": "https://docs.rs/http/1.4.0/http/header/#limitations", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime."}, {"lang": "es", "value": "Wasmtime es un entorno de ejecuci\u00f3n para WebAssembly. Antes de las versiones 24.0.6, 36.0.6, 4.0.04, 41.0.4 y 42.0.0, la implementaci\u00f3n de Wasmtime del recurso `wasi:http/types.fields` es susceptible a panics cuando se a\u00f1aden demasiados campos al conjunto de cabeceras. La implementaci\u00f3n de Wasmtime en el crate `wasmtime-wasi-http` est\u00e1 respaldada por una estructura de datos que entra en p\u00e1nico cuando alcanza una capacidad excesiva. Esta condici\u00f3n no se manej\u00f3 convenientemente en Wasmtime. Entrar en p\u00e1nico en una implementaci\u00f3n de WASI es un vector de denegaci\u00f3n de servicio para los integradores y se trata como una vulnerabilidad de seguridad en Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4 y 42.0.0 aplican un parche a esta vulnerabilidad y devuelven una trampa al invitado en lugar de entrar en p\u00e1nico. No hay soluciones alternativas conocidas en este momento. Se anima a los integradores a actualizar a una versi\u00f3n de Wasmtime con parche."}], "lastModified": "2026-02-25T15:36:36.380", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "FAB7C7D9-433F-4046-932B-44456BB034A3", "versionEndExcluding": "24.0.6"}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "4AF1D021-3AC7-419E-AD0B-5C5738DC51E5", "versionEndExcluding": "36.0.6", "versionStartIncluding": "25.0.0"}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "2DBCFCF3-5A70-4441-B73D-E1CE96B01BE7", "versionEndExcluding": "40.0.4", "versionStartIncluding": "37.0.0"}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "9BF3C16E-C1D8-468A-9F60-9F6F45DA98E3", "versionEndExcluding": "41.0.4", "versionStartIncluding": "41.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}