Vulnerability DatabaseCVE-2026-27572
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-27572
February 24, 2026
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the "wasi:http/types.fields" resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the "wasmtime-wasi-http" crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime.
Affected Packages
https://github.com/bytecodealliance/wasmtime.git (GITHUB):
Affected version(s) >=v41.0.0 <v41.0.4
Fix Suggestion:
Update to version v41.0.4
https://github.com/bytecodealliance/wasmtime.git (GITHUB):
Affected version(s) >=v0.2.0 <v24.0.6
Fix Suggestion:
Update to version v24.0.6
https://github.com/bytecodealliance/wasmtime.git (GITHUB):
Affected version(s) >=v25.0.0 <v36.0.6
Fix Suggestion:
Update to version v36.0.6
wasmtime (RUST):
Affected version(s) >=37.0.0 <40.0.4
Fix Suggestion:
Update to version 40.0.4
wasmtime (RUST):
Affected version(s) >=0.0.0 <24.0.6
Fix Suggestion:
Update to version 24.0.6
wasmtime (RUST):
Affected version(s) >=25.0.0 <36.0.6
Fix Suggestion:
Update to version 36.0.6
Related ResourcesĀ (11)
https://docs.rs/http/1.4.0/http/header/#limitations
https://crates.io/crates/wasmtime
https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6
https://github.com/bytecodealliance/wasmtime
https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4
https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6
https://nvd.nist.gov/vuln/detail/CVE-2026-27572
https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4
https://rustsec.org/advisories/RUSTSEC-2026-0021.html
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h
https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
HIGH
CVSS v3
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Allocation of Resources Without Limits or Throttling
CWE-770
EPSS
Base Score:
0.07