Denial of Service Vulnerability in Wasmtime WebAssembly Runtime by Bytecode Alliance
CVE-2026-27572

6.9MEDIUM

Key Information:

Vendor

Bytecodealliance

Status
Wasmtime
Vendor
CVE Published:
24 February 2026

What is CVE-2026-27572?

Wasmtime, a runtime for WebAssembly developed by Bytecode Alliance, has a vulnerability within its wasi:http/types.fields resource implementation. Specifically, the system experiences panics when handling an excessive number of header fields, leading to potential Denial of Service attacks for applications embedding the runtime. This issue originates from an ungraceful handling of capacity limits in the data structure utilized by the wasmtime-wasi-http crate. Affected users are urged to upgrade to versions 24.0.6, 36.0.6, 40.0.4, 41.0.4, or 42.0.0, which mitigate this vulnerability by returning a trap to the guest, thus preventing crashes. Currently, no workarounds exist, so updating is critical for maintaining application stability.

Affected Version(s)

wasmtime < 24.0.6 < 24.0.6

wasmtime >= 25.0.0, < 36.0.6 < 25.0.0, 36.0.6

wasmtime >= 37.0.0, < 40.0.4 < 37.0.0, 40.0.4

References

https://github.com/bytecodealliance/wasmtime/security/adv...
x_refsource_CONFIRM
https://github.com/bytecodealliance/wasmtime/commit/301dc...
x_refsource_MISC
https://docs.rs/http/1.4.0/http/header/#limitations
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.