Description
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue.
Published: 2026-02-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Upgrade
AI Analysis

Impact

Wasmtime, a WebAssembly runtime, contains a flaw in its WASI host interface implementations that allows a malicious WebAssembly module to request an excessive amount of resources from the host. The runtime fails to enforce limits on allocations such as memory or other host resources, enabling resource exhaustion. Consequently an attacker can drain host CPU, memory, or other system resources, leading to denial of service. The weakness is reflected by improper resource handling and control, reflected by CWEs 400, 770, 774, and 789.

Affected Systems

Bytecodealliance Wasmtime versions earlier than 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 are vulnerable. The flaw is present in all builds before those releases; newer releases contain a fix but each embedder must enable the protective knobs to prevent exploitation. All versions of Wasmtime provide adjustable limits that must be configured to stop a malicious guest from exhausting resources.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity level, and the EPSS score of less than 1% suggests a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it from the guest side by submitting specially crafted WebAssembly modules that request excessive resources. Because the runtime does not impose limits by default, an untrusted guest can drive the host toward depletion of CPU or memory, interrupting services. The primary risk is denial of service to the host and any services that rely on Wasmtime.

Generated by OpenCVE AI on April 16, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wasmtime to version 24.0.6 or any later release that contains the patch.
  • Enable the resource‑limit knobs provided in newer releases—for example, configure WasiCtxBuilder.max_random_size, ResourceTable.set_max_capacity, or store.set_hostcall_fuel—to enforce upper bounds on requested resources.
  • Verify that the host configuration applies these limits before exposing untrusted WebAssembly modules.

Generated by OpenCVE AI on April 16, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-852m-cvvp-9p4w Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 25 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Tue, 24 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue.
Title Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
Weaknesses CWE-400
CWE-770
CWE-774
CWE-789
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:54:48.839Z

Reserved: 2026-02-18T19:47:02.155Z

Link: CVE-2026-27204

cve-icon Vulnrichment

Updated: 2026-02-27T20:54:45.833Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T22:16:32.480

Modified: 2026-02-25T15:20:51.910

Link: CVE-2026-27204

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T21:23:47Z

Links: CVE-2026-27204 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses