CVE-2026-27572
Description
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | forky | fixed | 36.0.6+dfsg-1 |
| debian | sid | fixed | 36.0.6+dfsg-1 |
| debian | trixie | affected | |
References
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h
- https://nvd.nist.gov/vuln/detail/CVE-2026-27572
- https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a
- https://docs.rs/http/1.4.0/http/header/#limitations
- https://github.com/bytecodealliance/wasmtime
- https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6
- https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6
- https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4
- https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4
- https://rustsec.org/advisories/RUSTSEC-2026-0021.html
- https://crates.io/crates/wasmtime
- https://security-tracker.debian.org/tracker/CVE-2026-27572
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.