CVE-2026-27204

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27204
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27204.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27204
Aliases
Downstream
Related
Published
2026-02-24T21:23:47.007Z
Modified
2026-03-03T02:56:44.429209Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H CVSS Calculator
Summary
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
Details

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27204.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400",
        "CWE-770",
        "CWE-774",
        "CWE-789"
    ]
}
References

Affected packages

Git / github.com/bytecodealliance/wasmtime

Affected ranges

Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f18f06e6dea00a78c06913061d952b26ed700b92
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "24.0.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
0b195ef5db76c02fb5392ec1418c58bdc5537d41
Fixed
f2054e0911f55af50686bee4da39d15308e14aec
Database specific 
{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "36.0.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
7b3d6ae79e9153a2477668062f5622c10333925f
Fixed
dc38c5b110862df44e9934ec90dc45e875f18835
Database specific 
{
    "versions": [
        {
            "introduced": "37.0.0"
        },
        {
            "fixed": "40.0.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
3dda916921536c2b5233ec98315b6d05c793a34b
Fixed
d938a9df47c8e62014c1a12571547411ede6ff5e
Database specific 
{
    "versions": [
        {
            "introduced": "41.0.0"
        },
        {
            "fixed": "41.0.4"
        }
    ]
}

Affected versions

cranelift-v0.*
cranelift-v0.60.0
cranelift-v0.61.0
cranelift-v0.69.0
filecheck-v0.*
filecheck-v0.0.1
v0.*
v0.12.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.23.0
v0.24.0
v0.25.0
v0.26.0
v0.27.0
v0.28.0
v0.29.0
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
v24.*
v24.0.0
v24.0.1
v24.0.2
v24.0.3
v24.0.4
v24.0.5
v41.*
v41.0.0
v41.0.1
v41.0.2
v41.0.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27204.json"