PT-2026-21806 · Bytecode Alliance · Wasmtime
Alexcrichton
·
Published
2026-01-01
·
Updated
2026-02-25
·
CVE-2026-27572
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Wasmtime versions prior to 24.0.6
Wasmtime versions prior to 36.0.6
Wasmtime version 4.0.04
Wasmtime versions prior to 41.0.4
Wasmtime versions prior to 42.0.0
Description
Wasmtime's implementation of the
wasi:http/types.fields resource is susceptible to panics when an excessive number of fields are added to the set of headers. The wasmtime-wasi-http crate uses a data structure that panics when it reaches its capacity, and this condition was not handled gracefully. A panic in a WASI implementation can lead to a Denial of Service for embedders.Recommendations
Update to Wasmtime version 24.0.6 or later.
Update to Wasmtime version 36.0.6 or later.
Update to Wasmtime version 4.0.04 or later.
Update to Wasmtime version 41.0.4 or later.
Update to Wasmtime version 42.0.0 or later.
Exploit
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wasmtime