Vulnerability DatabaseCVE-2026-27204
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-27204
February 24, 2026
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue.
Affected Packages
https://github.com/bytecodealliance/wasmtime.git (GITHUB):
Affected version(s) >=v25.0.0 <v36.0.6
Fix Suggestion:
Update to version v36.0.6
https://github.com/bytecodealliance/wasmtime.git (GITHUB):
Affected version(s) >=v0.2.0 <v24.0.6
Fix Suggestion:
Update to version v24.0.6
https://github.com/bytecodealliance/wasmtime.git (GITHUB):
Affected version(s) >=v41.0.0 <v41.0.4
Fix Suggestion:
Update to version v41.0.4
https://github.com/bytecodealliance/wasmtime.git (GITHUB):
Affected version(s) >=v37.0.0 <v40.0.04
Fix Suggestion:
Update to version v40.0.04
wasmtime (RUST):
Affected version(s) >=25.0.0 <36.0.6
Fix Suggestion:
Update to version 36.0.6
wasmtime (RUST):
Affected version(s) >=37.0.0 <40.0.4
Fix Suggestion:
Update to version 40.0.4
wasmtime (RUST):
Affected version(s) >=0.0.0 <24.0.6
Fix Suggestion:
Update to version 24.0.6
Related Resources (11)
https://docs.rs/wasmtime-wasi/latest/wasmtime_wasi/struct.WasiCtxBuilder.html#method.max_random_size
https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html
https://github.com/bytecodealliance/wasmtime
https://crates.io/crates/wasmtime
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w
https://github.com/bytecodealliance/wasmtime/pull/12599
https://docs.rs/wasmtime/latest/wasmtime/struct.Store.html#method.set_hostcall_fuel
https://nvd.nist.gov/vuln/detail/CVE-2026-27204
https://github.com/bytecodealliance/wasmtime/issues/11552
https://docs.rs/wasmtime/latest/wasmtime/component/struct.ResourceTable.html#method.set_max_capacity
https://rustsec.org/advisories/RUSTSEC-2026-0020.html
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
HIGH
CVSS v3
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Uncontrolled Resource Consumption
CWE-400
Allocation of File Descriptors or Handles Without Limits or Throttling
CWE-774
Memory Allocation with Excessive Size Value
CWE-789
Allocation of Resources Without Limits or Throttling
CWE-770
EPSS
Base Score:
0.07