CVE-2026-27572

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27572
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27572.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27572
Aliases
Downstream
Related
Published
2026-02-24T21:31:50.186Z
Modified
2026-03-03T02:56:48.644386Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H CVSS Calculator
Summary
Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance
Details

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the wasi:http/types.fields resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the wasmtime-wasi-http crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27572.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/bytecodealliance/wasmtime

Affected ranges

Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f18f06e6dea00a78c06913061d952b26ed700b92
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "24.0.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
0b195ef5db76c02fb5392ec1418c58bdc5537d41
Fixed
f2054e0911f55af50686bee4da39d15308e14aec
Database specific 
{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "36.0.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
7b3d6ae79e9153a2477668062f5622c10333925f
Fixed
dc38c5b110862df44e9934ec90dc45e875f18835
Database specific 
{
    "versions": [
        {
            "introduced": "37.0.0"
        },
        {
            "fixed": "40.0.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/bytecodealliance/wasmtime
Events
Introduced
3dda916921536c2b5233ec98315b6d05c793a34b
Fixed
d938a9df47c8e62014c1a12571547411ede6ff5e
Database specific 
{
    "versions": [
        {
            "introduced": "41.0.0"
        },
        {
            "fixed": "41.0.4"
        }
    ]
}

Affected versions

cranelift-v0.*
cranelift-v0.60.0
cranelift-v0.61.0
cranelift-v0.69.0
filecheck-v0.*
filecheck-v0.0.1
v0.*
v0.12.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.23.0
v0.24.0
v0.25.0
v0.26.0
v0.27.0
v0.28.0
v0.29.0
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
v24.*
v24.0.0
v24.0.1
v24.0.2
v24.0.3
v24.0.4
v24.0.5
v41.*
v41.0.0
v41.0.1
v41.0.2
v41.0.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27572.json"