CVE-2026-27887

Name of the Vulnerable Software and Affected Versions Spin versions prior to 3.6.1 SpinKube versions prior to 0.6.2 containerd-shim-spin versions prior to 0.22.1

Description Spin is a developer tool for building and running serverless applications using WebAssembly. A memory exhaustion issue can occur when Spin connects to databases or web servers that may return responses of unbounded size. In such cases, Spin might attempt to buffer the entire response before delivering it to the guest, potentially leading to the host process running out of memory and crashing. A malicious guest application could exacerbate this by inserting a large number of rows or values into a database and then retrieving them all at once, causing large host allocations.

Recommendations Update Spin to version 3.6.1 or later. Update SpinKube to version 0.6.2 or later. Update containerd-shim-spin to version 0.22.1 or later. As a workaround, configure Spin to only allow access to trusted databases and HTTP servers that limit response sizes.