CVE-2026-27204

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 24.0.6 Wasmtime versions prior to 36.0.6 Wasmtime versions prior to 40.0.4 Wasmtime versions prior to 41.0.4 Wasmtime versions prior to 42.0.0

Description Wasmtime's implementation of WASI host interfaces is susceptible to guest-controlled resource exhaustion on the host. The runtime did not appropriately limit resource allocations requested by guests, creating a Denial of Service vector. A guest can induce crashing behaviors on the host, such as allocating large amounts of memory, causing allocation failures, or triggering panics. The issue affects WASIp1 and WASIp2, as well as any Component Model (or WIT) based host API operating on string or list<T> types. The issue can lead to arbitrary amounts of host memory being allocated, and the guest can force the host to buffer arbitrary amounts of data.

Recommendations Upgrade to Wasmtime version 24.0.6 or later. Upgrade to Wasmtime version 36.0.6 or later. Upgrade to Wasmtime version 40.0.4 or later. Upgrade to Wasmtime version 41.0.4 or later. Upgrade to Wasmtime version 42.0.0 or later.