Description
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding drops the `Future` after polling it once. This leaves the component instance in a non-reenterable state since the call never had a chance to complete. Fourth, the host embedding calls `[Typed]Func::call_async` again, polling the returned `Future`. Since the component instance cannot be entered at this point, the call traps, but not before allocating a task and thread for the call. Fifth, the host embedding ignores the trap and drops the `Future`. This panics due to the runtime attempting to dispose of the task created above, which panics since the thread has not yet exited. When a host embedder using the affected versions of Wasmtime calls `wasmtime::component::[Typed]Func::call_async` on a guest export and then drops the returned future without waiting for it to resolve, and then does so again with the same component instance, Wasmtime will panic. Embeddings that have the `component-model-async` compile-time feature disabled are unaffected. Wasmtime 40.0.4 and 41.0.4 have been patched to fix this issue. Versions 42.0.0 and later are not affected. If an embedding is not actually using any component-model-async features then disabling the `component-model-async` Cargo feature can work around this issue. This issue can also be worked around by either ensuring every `call_async` future is awaited until it completes or refraining from using the `Store` again after dropping a not-yet-resolved `call_async` future.
Published: 2026-02-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (runtime crash)
Action: Patch Now
AI Analysis

Impact

The bug causes Wasmtime to panic when an embedding calls an async guest export, polls the returned future, then drops it before it resolves, and subsequently makes another async call using that component instance. Because the component has entered a non‑reenterable state, the second call traps, and the interim task thread is not yet terminated, leading to a panic during cleanup. This results in the host process crashing, which effectively denies service for any application embedding Wasmtime.

Affected Systems

The vulnerability affects all binary releases of Wasmtime starting with version 39.0.0 up to, but excluding, the patched releases 40.0.4, 41.0.4 and any later releases such as 42.0.0+, where the component-model-async feature defaults to its fixed implementation. Embeddings compiled without the component-model-async feature, or those that never invoke async component exports, are not impacted. The affected product is the Wasmtime runtime provided by Bytecode Alliance.

Risk and Exploitability

The CVSS score is 6.9, reflecting moderate severity, and the EPSS score is below 1%, indicating a very low probability that the flaw will be exploited in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires an embedding that performs a call_async on a component-exported function, polls once, drops the future, then reuses the component instance to make another call, and continues to ignore the trapping error. Because this pattern is non‑obvious and likely internal to the embedding application, the attack surface is limited, but a software developer who writes or maintains the Wasmtime host code could trigger it unintentionally, leading to a denial‑of‑service condition.

Generated by OpenCVE AI on April 17, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wasmtime library to version 40.0.4, 41.0.4, or any 42.0.0 and later release where the bug is fixed.
  • If an upgrade is not feasible, explicitly disable the component-model-async Cargo feature when compiling Wasmtime to avoid the vulnerable path.
  • Refactor host code to await the future returned by call_async before dropping it; ensure that all async component calls complete or are properly cancelled before re‑using the store.
  • As a temporary measure, if the embedding never calls async component exports, remove any such calls or ensure they are not invoked after a dropped future.

Generated by OpenCVE AI on April 17, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xjhv-v822-pf94 Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
History

Wed, 25 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 25 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-248
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding drops the `Future` after polling it once. This leaves the component instance in a non-reenterable state since the call never had a chance to complete. Fourth, the host embedding calls `[Typed]Func::call_async` again, polling the returned `Future`. Since the component instance cannot be entered at this point, the call traps, but not before allocating a task and thread for the call. Fifth, the host embedding ignores the trap and drops the `Future`. This panics due to the runtime attempting to dispose of the task created above, which panics since the thread has not yet exited. When a host embedder using the affected versions of Wasmtime calls `wasmtime::component::[Typed]Func::call_async` on a guest export and then drops the returned future without waiting for it to resolve, and then does so again with the same component instance, Wasmtime will panic. Embeddings that have the `component-model-async` compile-time feature disabled are unaffected. Wasmtime 40.0.4 and 41.0.4 have been patched to fix this issue. Versions 42.0.0 and later are not affected. If an embedding is not actually using any component-model-async features then disabling the `component-model-async` Cargo feature can work around this issue. This issue can also be worked around by either ensuring every `call_async` future is awaited until it completes or refraining from using the `Store` again after dropping a not-yet-resolved `call_async` future.
Title Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
Weaknesses CWE-755
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T21:36:54.122Z

Reserved: 2026-02-18T19:47:02.154Z

Link: CVE-2026-27195

cve-icon Vulnrichment

Updated: 2026-02-24T21:36:50.098Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T22:16:32.253

Modified: 2026-02-25T15:20:22.360

Link: CVE-2026-27195

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T21:15:20Z

Links: CVE-2026-27195 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses