Resource Exhaustion Vulnerability in Wasmtime by Bytecode Alliance
CVE-2026-27204

6.9MEDIUM

Key Information:

Vendor

Bytecodealliance

Status
Wasmtime
Vendor
CVE Published:
24 February 2026

What is CVE-2026-27204?

Wasmtime, a runtime for WebAssembly, has a vulnerability related to the guest-controlled resource allocation through WASI host interfaces. Prior to specific version releases, the platform lacked sufficient limitations on the types of resource allocations that guests could request, leading to potential Denial of Service conditions. Although newer versions (24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0) have been released with fixes, the default configurations do not automatically prevent this issue to maintain compatibility with existing behavior. Users are encouraged to upgrade to the latest versions and adjust their configurations accordingly to protect against potentially malicious guest inputs causing resource exhaustion.

Affected Version(s)

wasmtime < 24.0.6 < 24.0.6

wasmtime >= 25.0.0, < 36.0.6 < 25.0.0, 36.0.6

wasmtime >= 37.0.0, < 40.0.4 < 37.0.0, 40.0.4

References

https://github.com/bytecodealliance/wasmtime/security/adv...
x_refsource_CONFIRM
https://github.com/bytecodealliance/wasmtime/issues/11552
x_refsource_MISC
https://github.com/bytecodealliance/wasmtime/pull/12599
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.