Panic Risk in Wasmtime WebAssembly Runtime Due to Async Handling Bug
CVE-2026-27195
What is CVE-2026-27195?
A bug in Wasmtime, a WebAssembly runtime, affects the handling of asynchronous functions when employing the component-model-async feature. Starting from version 39.0.0, the implementation of [Typed]Func::call_async introduced a flaw that can lead to a runtime panic under specific conditions. When a host embedding calls this function, polls the returned future once, and subsequently drops that future without waiting for it to resolve, it can leave the component instance in a non-reenterable state. A subsequent call to [Typed]Func::call_async can cause a trap and result in a panic due to the underlying management of tasks and threads. This issue is mitigated in versions 40.0.4 and 41.0.4, and users are advised to ensure all futures are awaited or avoid reusing the store after dropping unresolved calls.
Affected Version(s)
wasmtime >= 39.0.0, < 40.0.4 < 39.0.0, 40.0.4
wasmtime >= 41.0.0, < 41.0.4 < 41.0.0, 41.0.4