CVE-2026-27204
published 2026-02-24CVE-2026-27204: Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.34%
26.3th percentile
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | < 24.0.6 | 24.0.6 |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 0 < 24.0.6 | 24.0.6 |
| bytecodealliance | wasmtime | >= 0.0.0-0 < 24.0.6 | 24.0.6 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.6 | 36.0.6 |
| bytecodealliance | wasmtime | >= 25.0.0 < 36.0.6 | 36.0.6 |
| bytecodealliance | wasmtime | >= 37.0.0 < 40.0.4 | 40.0.4 |
| bytecodealliance | wasmtime | >= 37.0.0 < 40.0.4 | 40.0.4 |
| bytecodealliance | wasmtime | >= 41.0.0 < 41.0.4 | 41.0.4 |
| bytecodealliance | wasmtime | >= 41.0.0 < 41.0.4 | 41.0.4 |
| debian | rust-wasmtime | < rust-wasmtime 36.0.6+dfsg-1 (forky) | rust-wasmtime 36.0.6+dfsg-1 (forky) |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
osv·2026-02-24
CVE-2026-27204 [MEDIUM] Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
### Impact
Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector where a guest can induce a range of crashing behaviors on the host such as:
* Allocating arbitrarily large amounts of host memory.
* Causing an allocation failure on the host, which in Rust defaults to aborting the process.
* Causing a panic on the host due to over-large allocations being performed.
* Cause degredation in performance of the host by holding excessive host memory alive.
Wasmtime's [security bug policy](https://docs.wasmtime.dev
GHSA
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
ghsa·2026-02-24
CVE-2026-27204 [MEDIUM] CWE-400 Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
### Impact
Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector where a guest can induce a range of crashing behaviors on the host such as:
* Allocating arbitrarily large amounts of host memory.
* Causing an allocation failure on the host, which in Rust defaults to aborting the process.
* Causing a panic on the host due to over-large allocations being performed.
* Cause degredation in performance of the host by holding excessive host memory alive.
Wasmtime's [security bug policy](https://docs.wasmtime.dev
OSV
CVE-2026-27204: Wasmtime is a runtime for WebAssembly
osv·2026-02-24·CVSS 6.9
CVE-2026-27204 [MEDIUM] CVE-2026-27204: Wasmtime is a runtime for WebAssembly
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue
OSV
Guest-controlled resource exhaustion in WASI implementations
osv·2026-02-24
CVE-2026-27204 Guest-controlled resource exhaustion in WASI implementations
Guest-controlled resource exhaustion in WASI implementations
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w
For more information see the GitHub-hosted security advisory.
Red Hat
wasmtime: Wasmtime: Denial of Service via guest-controlled resource exhaustion in WASI host interfaces
vendor_redhat·2026-02-24·CVSS 6.9
CVE-2026-27204 [MEDIUM] CWE-770 wasmtime: Wasmtime: Denial of Service via guest-controlled resource exhaustion in WASI host interfaces
wasmtime: Wasmtime: Denial of Service via guest-controlled resource exhaustion in WASI host interfaces
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these kno
Debian
CVE-2026-27204: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04,...
vendor_debian·2026·CVSS 6.9
CVE-2026-27204 [MEDIUM] CVE-2026-27204: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04,...
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27204 tree-sitter: Wasmtime: Denial of Service via guest-controlled resource exhaustion in WASI host interfaces [fedora-42]
bugzilla·2026-02-24·CVSS 6.9
CVE-2026-27204 [MEDIUM] CVE-2026-27204 tree-sitter: Wasmtime: Denial of Service via guest-controlled resource exhaustion in WASI host interfaces [fedora-42]
CVE-2026-27204 tree-sitter: Wasmtime: Denial of Service via guest-controlled resource exhaustion in WASI host interfaces [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it
Wiz
CVE-2026-27204 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27204 [MEDIUM] CVE-2026-27204 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27204 :
Rust vulnerability analysis and mitigation
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this iss
https://docs.rs/wasmtime-wasi/latest/wasmtime_wasi/struct.WasiCtxBuilder.html#method.max_random_sizehttps://docs.rs/wasmtime/latest/wasmtime/component/struct.ResourceTable.html#method.set_max_capacityhttps://docs.rs/wasmtime/latest/wasmtime/struct.Store.html#method.set_hostcall_fuelhttps://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.htmlhttps://github.com/bytecodealliance/wasmtime/issues/11552https://github.com/bytecodealliance/wasmtime/pull/12599https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w
2026-02-24
Published