Description
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime.
Published: 2026-02-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via panic in WASM runtime
Action: Patch
AI Analysis

Impact

Wasmtime, a WebAssembly runtime, contains a flaw in the handling of the wasi:http/types.fields resource that triggers a panic when a client provides an excessive number of HTTP header fields. The panic causes the Wasmtime process to terminate abruptly, effectively denying service to any request or application using the runtime. This failure mode is a classic example of CWE‑770 – Excessive Resource Consumption, where unbounded input leads to resource exhaustion and a crash.

Affected Systems

The issue affects the BytecodeAlliance Wasmtime product in all releases older than 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0. Any embedding or deployment of Wasmtime that has not been updated to at least one of the patched releases is susceptible.

Risk and Exploitability

With a CVSS score of 6.9 and an EPSS estimate of less than 1 %, the vulnerability is considered moderate in severity and likely has low to moderate exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, as an attacker can craft HTTP requests with an overlarge number of header fields to trigger the panic in a Wasmtime‐based service. Once exploited, the host process or application crashes, resulting in a denial of service for legitimate users.

Generated by OpenCVE AI on April 18, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Wasmtime to a fixed release (24.0.6, 36.0.6, 40.0.4, 41.0.4, or 42.0.0 or later), ensuring all embedded instances use the new binary.
  • Validate HTTP headers on the client side to avoid sending an excessive number of fields to Wasmtime, thereby mitigating potential crashes without requiring a runtime upgrade.
  • Limit HTTP headers at the network layer via a reverse proxy or firewall to prevent unwieldy header sets from reaching Wasmtime.

Generated by OpenCVE AI on April 18, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-243v-98vx-264h Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance
History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 25 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Bytecodealliance
Bytecodealliance wasmtime
Vendors & Products Bytecodealliance
Bytecodealliance wasmtime

Tue, 24 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime.
Title Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Bytecodealliance Wasmtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:55:29.879Z

Reserved: 2026-02-20T17:40:28.448Z

Link: CVE-2026-27572

cve-icon Vulnrichment

Updated: 2026-02-27T20:55:26.631Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T22:16:32.687

Modified: 2026-02-25T15:36:36.380

Link: CVE-2026-27572

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T21:31:50Z

Links: CVE-2026-27572 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses