CVE-2026-27195
published 2026-02-24CVE-2026-27195: Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.36%
28.1th percentile
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding drops the `Future` after polling it once. This leaves the component instance in a non-reenterable state since the call never had a chance to complete. Fourth, the host embedding calls `[Typed]Func::call_async` again, polling the returned `Future`. Since the component instance cannot be entered at this point, the call traps, but not before allocating a task and thread for the call. Fifth, the host embedding ignores the trap and drops the `Future`. This panics due to the runtime attempting to dispose of the task created above, which panics since the thread has not yet exited. When a host embedder using the affected versions of Wasmtime calls `wasmtime::component::[Typed]Func::call_async` on a guest export and then drops the returned future without waiting for it to resolve, and then does so again with the same component instance, Wasmtime will panic. Embeddings that have the `component-model-async` compile-time feature disabled are unaffected. Wasmtime 40.0.4 and 41.0.4 have been patched to fix this issue. Versions 42.0.0 and later are not affected. If an embedding is not actually using any component-model-async features then disabling the `component-model-async` Cargo feature can work around this issue. This issue can also be worked around by either ensuri
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 39.0.0 < 40.0.4 | 40.0.4 |
| bytecodealliance | wasmtime | >= 39.0.0 < 40.0.4 | 40.0.4 |
| bytecodealliance | wasmtime | >= 41.0.0 < 41.0.4 | 41.0.4 |
| bytecodealliance | wasmtime | >= 41.0.0 < 41.0.4 | 41.0.4 |
| debian | rust-wasmtime | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_debian6.9LOW
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
osv·2026-02-24
CVE-2026-27195 [MEDIUM] Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
The affected versions of Wasmtime can panic if the host embedder drops the future returned by `wasmtime::component::[Typed]Func::call_async` before it resolves.
### Details
Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances:
1. The host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once.
2. The component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to
GHSA
Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
ghsa·2026-02-24
CVE-2026-27195 [MEDIUM] CWE-755 Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
The affected versions of Wasmtime can panic if the host embedder drops the future returned by `wasmtime::component::[Typed]Func::call_async` before it resolves.
### Details
Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances:
1. The host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once.
2. The component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to
OSV
Panic when dropping a `[Typed]Func::call_async` future
osv·2026-02-24
CVE-2026-27195 Panic when dropping a `[Typed]Func::call_async` future
Panic when dropping a `[Typed]Func::call_async` future
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94
For more information see the GitHub-hosted security advisory.
Red Hat
wasmtime: Wasmtime: Denial of Service via repeated async function calls
vendor_redhat·2026-02-24·CVSS 6.9
CVE-2026-27195 [MEDIUM] CWE-248 wasmtime: Wasmtime: Denial of Service via repeated async function calls
wasmtime: Wasmtime: Denial of Service via repeated async function calls
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding dr
Debian
CVE-2026-27195: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `compo...
vendor_debian·2026·CVSS 6.9
CVE-2026-27195 [MEDIUM] CVE-2026-27195: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `compo...
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding drops the `Future` after polling it once. This leaves the component instanc
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27195 tree-sitter: Wasmtime: Denial of Service via repeated async function calls [fedora-42]
bugzilla·2026-02-24·CVSS 6.9
CVE-2026-27195 [MEDIUM] CVE-2026-27195 tree-sitter: Wasmtime: Denial of Service via repeated async function calls [fedora-42]
CVE-2026-27195 tree-sitter: Wasmtime: Denial of Service via repeated async function calls [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained vers
Wiz
CVE-2026-27195 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27195 [MEDIUM] CVE-2026-27195 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27195 :
Rust vulnerability analysis and mitigation
component-model-async
[Typed]Func::call_async
[Typed]Func::call_async
Future
LinkerInstance::func_wrap_async
Future
[Typed]Func::call_async
Future
Future
wasmtime::component::[Typed]Func::call_async
component-model-async
component-model-async
call_async
Store
call_async
Source : NVD
## 6.9
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Rust
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
yara-x
wasmtime
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
Rust Severity MEDIUM Has Fix
https://bytecodealliance.zulipchat.com/#narrow/channel/206238-general/topic/.E2.9C.94.20Panic.20in.20Wasmtime.2041.2E0.2E3.20.28runtime.2Fconcurrent.2Fcomponent.29/with/574438798https://github.com/bytecodealliance/wasmtime/commit/9e51c0d9a240a9613d279c061f82286bd11383fdhttps://github.com/bytecodealliance/wasmtime/commit/d86b00736b9ece60b3c81e52f7a7e4cdd9f7d895https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94
2026-02-24
Published