CVE-2026-27572Allocation of Resources Without Limits or Throttling in Wasmtime

CWE-770Allocation of Resources Without Limits or Throttling8 documents6 sources
Severity
6.9MEDIUMNVD
EPSS
0.0%
top 92.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Bytecodealliance WasmtimeDebian Rust-wasmtime
Timeline
PublishedFeb 24

Description

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Servic

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Packages4 packages

debiandebian/rust-wasmtime< rust-wasmtime 36.0.6+dfsg-1 (forky)
NVDbytecodealliance/wasmtime25.0.036.0.6+3
crates.iobytecodealliance/wasmtime25.0.036.0.6+4
CVEListV5bytecodealliance/wasmtime>= 25.0.0, < 36.0.6, >= 37.0.0, < 40.0.4, >= 41.0.0, < 41.0.4+2

Patches

Patch: github.com

🔴Vulnerability Details

4
GHSA
Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance2026-02-24
OSV
CVE-2026-27572: Wasmtime is a runtime for WebAssembly2026-02-24
OSV
Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance2026-02-24
OSV
Panic adding excessive fields to a `wasi:http/types.fields` instance2026-02-24

📋Vendor Advisories

2
Red Hat
wasmtime: Wasmtime: Denial of Service via excessive HTTP header fields2026-02-24
Debian
CVE-2026-27572: rust-wasmtime - Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04,...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27572 Impact, Exploitability, and Mitigation Steps | Wiz