CVE-2026-27195 — Improper Handling of Exceptional Conditions in Wasmtime

CWE-755 — Improper Handling of Exceptional Conditions CWE-248 — Uncaught Exception7 documents6 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 78.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Wasmtime Debian Rust-wasmtime

Timeline

PublishedFeb 24

Description

Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the c…

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Packages4 packages

▶NVDbytecodealliance/wasmtime39.0.0 — 40.0.4+1

▶crates.iobytecodealliance/wasmtime39.0.0 — 40.0.4+1

▶debiandebian/rust-wasmtime

▶CVEListV5bytecodealliance/wasmtime>= 39.0.0, < 40.0.4, >= 41.0.0, < 41.0.4+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future↗2026-02-24

▶

GHSA

Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future↗2026-02-24

▶

OSV

Panic when dropping a `[Typed]Func::call_async` future↗2026-02-24

▶

📋Vendor Advisories

Red Hat

wasmtime: Wasmtime: Denial of Service via repeated async function calls↗2026-02-24

▶

Debian

CVE-2026-27195: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `compo...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27195 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶