CVE-2026-27195

Name of the Vulnerable Software and Affected Versions Wasmtime versions 39.0.0 through 41.0.3

Description Wasmtime, a runtime for WebAssembly, can experience a panic when the host embedder drops the future returned by wasmtime::component::[Typed]Func::call async before it resolves, and then calls the same function again with the same component instance. This occurs because the component instance enters a non-reenterable state, leading to a trap and subsequent panic during task disposal. The issue arises from a bug in the implementation of [Typed]Func::call async introduced with the component-model-async feature, which became the default starting with version 39.0.0. The API Endpoint involved is wasmtime::component::[Typed]Func::call async. The variable representing the returned future is not explicitly named, but its improper handling triggers the issue. The issue does not affect embeddings with the component-model-async compile-time feature disabled.

Recommendations Wasmtime versions 39.0.0 through 40.0.3 should be updated to version 40.0.4 or 41.0.4. Wasmtime versions 40.0.4 through 41.0.3 should be updated to version 41.0.4. If an embedding is not using any component-model-async features, disable the component-model-async Cargo feature. Ensure every call async future is awaited until it completes. Refrain from using the Store again after dropping a not-yet-resolved call async future.