Description
Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g. tables with many rows or large content bodies), Spin may in some cases attempt to buffer the entire response before delivering it to the guest, which can lead to the host process running out of memory, panicking, and crashing. In addition, a malicious guest application could incrementally insert a large number of rows or values into a database and then retrieve them all in a single query, leading to large host allocations. Spin 3.6.1, SpinKube 0.6.2, and `containerd-shim-spin` 0.22.1 have been patched to address the issue. As a workaround, configure Spin to only allow access to trusted databases and HTTP servers which limit response sizes.
Published: 2026-02-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Host Process Crash due to Memory Exhaustion
Action: Apply Patch
AI Analysis

Impact

Spin buffers entire responses from databases or HTTP servers that can return unbounded data. If a response grows larger than the host’s available memory, Spin may allocate memory equal to the response size, leading to an out‑of‑memory condition. This scenario represents a resource exhaustion vulnerability (CWE‑770) and can trigger a panic or crash (CWE‑774). The large allocations also involve memory usage beyond expected limits (CWE‑789). Consequently, the host process crashes, denying availability to all running serverless functions.

Affected Systems

Vulnerable versions include Spin prior to 3.6.1, SpinKube prior to 0.6.2, and containerd‑shim‑spin prior to 0.22.1. These releases may buffer unbounded responses when configured to connect to databases or HTTP servers that can produce very large payloads. The patched releases—Spin 3.6.1, SpinKube 0.6.2, and containerd‑shim‑spin 0.22.1—implement safeguards that prevent the host from allocating excessive memory.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity while the EPSS score of less than 1 % indicates a very low but nonzero probability that this vulnerability will be exploited. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation. Based on the description, it is inferred that an attacker would need to control or influence a data source that can produce large responses, then trigger a request that generates a payload larger than the host memory. The attack path involves Spin allocating memory for the entire response, exhausting memory, and causing the host process to crash. Mitigation requires applying the patch or restricting access to trusted, size‑limited servers.

Generated by OpenCVE AI on April 18, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Spin 3.6.1 or later, SpinKube 0.6.2 or later, and containerd‑shim‑spin 0.22.1 or later to apply the fix.
  • Configure Spin to allow access only to trusted databases and HTTP servers that enforce response size limits, preventing unbounded data from being requested.
  • Set resource limits on the Spin host or container to protect against runaway memory consumption, ensuring the host process does not exhaust available RAM.

Generated by OpenCVE AI on April 18, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Spinframework
Spinframework containerd-shim-spin
Spinframework spin
Spinframework spinkube
Vendors & Products Spinframework
Spinframework containerd-shim-spin
Spinframework spin
Spinframework spinkube

Thu, 26 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g. tables with many rows or large content bodies), Spin may in some cases attempt to buffer the entire response before delivering it to the guest, which can lead to the host process running out of memory, panicking, and crashing. In addition, a malicious guest application could incrementally insert a large number of rows or values into a database and then retrieve them all in a single query, leading to large host allocations. Spin 3.6.1, SpinKube 0.6.2, and `containerd-shim-spin` 0.22.1 have been patched to address the issue. As a workaround, configure Spin to only allow access to trusted databases and HTTP servers which limit response sizes.
Title Spin has memory leaks in various WIT interfaces
Weaknesses CWE-770
CWE-774
CWE-789
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Spinframework Containerd-shim-spin Spin Spinkube
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:34:29.169Z

Reserved: 2026-02-24T15:19:29.716Z

Link: CVE-2026-27887

cve-icon Vulnrichment

Updated: 2026-02-26T14:34:22.023Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T02:16:20.360

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses