FKIE_CVE-2026-27572

Vulnerability from fkie_nvd - Published: 2026-02-24 22:16 - Updated: 2026-02-25 15:36
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime.
References
security-advisories@github.comhttps://docs.rs/http/1.4.0/http/header/#limitationsNot Applicable
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0aPatch
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6Product, Release Notes
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6Product, Release Notes
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4Product, Release Notes
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4Product, Release Notes
security-advisories@github.comhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264hThird Party Advisory
Impacted products
Vendor Product Version
bytecodealliance wasmtime *
bytecodealliance wasmtime *
bytecodealliance wasmtime *
bytecodealliance wasmtime *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "FAB7C7D9-433F-4046-932B-44456BB034A3",
              "versionEndExcluding": "24.0.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "4AF1D021-3AC7-419E-AD0B-5C5738DC51E5",
              "versionEndExcluding": "36.0.6",
              "versionStartIncluding": "25.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "2DBCFCF3-5A70-4441-B73D-E1CE96B01BE7",
              "versionEndExcluding": "40.0.4",
              "versionStartIncluding": "37.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "9BF3C16E-C1D8-468A-9F60-9F6F45DA98E3",
              "versionEndExcluding": "41.0.4",
              "versionStartIncluding": "41.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime\u0027s implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime\u0027s implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime."
    },
    {
      "lang": "es",
      "value": "Wasmtime es un entorno de ejecuci\u00f3n para WebAssembly. Antes de las versiones 24.0.6, 36.0.6, 4.0.04, 41.0.4 y 42.0.0, la implementaci\u00f3n de Wasmtime del recurso `wasi:http/types.fields` es susceptible a panics cuando se a\u00f1aden demasiados campos al conjunto de cabeceras. La implementaci\u00f3n de Wasmtime en el crate `wasmtime-wasi-http` est\u00e1 respaldada por una estructura de datos que entra en p\u00e1nico cuando alcanza una capacidad excesiva. Esta condici\u00f3n no se manej\u00f3 convenientemente en Wasmtime. Entrar en p\u00e1nico en una implementaci\u00f3n de WASI es un vector de denegaci\u00f3n de servicio para los integradores y se trata como una vulnerabilidad de seguridad en Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4 y 42.0.0 aplican un parche a esta vulnerabilidad y devuelven una trampa al invitado en lugar de entrar en p\u00e1nico. No hay soluciones alternativas conocidas en este momento. Se anima a los integradores a actualizar a una versi\u00f3n de Wasmtime con parche."
    }
  ],
  "id": "CVE-2026-27572",
  "lastModified": "2026-02-25T15:36:36.380",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-24T22:16:32.687",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://docs.rs/http/1.4.0/http/header/#limitations"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.