{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27572", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T17:40:28.448Z", "datePublished": "2026-02-24T21:31:50.186Z", "dateUpdated": "2026-02-27T20:55:29.879Z"}, "containers": {"cna": {"title": "Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h"}, {"name": "https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a"}, {"name": "https://docs.rs/http/1.4.0/http/header/#limitations", "tags": ["x_refsource_MISC"], "url": "https://docs.rs/http/1.4.0/http/header/#limitations"}, {"name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6"}, {"name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6"}, {"name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4"}, {"name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4"}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"version": "< 24.0.6", "status": "affected"}, {"version": ">= 25.0.0, < 36.0.6", "status": "affected"}, {"version": ">= 37.0.0, < 40.0.4", "status": "affected"}, {"version": ">= 41.0.0, < 41.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T21:31:50.186Z"}, "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime."}], "source": {"advisory": "GHSA-243v-98vx-264h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T20:55:20.616278Z", "id": "CVE-2026-27572", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:55:29.879Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27572", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T20:55:20.616278Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:55:26.631Z"}}], "cna": {"title": "Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance", "source": {"advisory": "GHSA-243v-98vx-264h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"status": "affected", "version": "< 24.0.6"}, {"status": "affected", "version": ">= 25.0.0, < 36.0.6"}, {"status": "affected", "version": ">= 37.0.0, < 40.0.4"}, {"status": "affected", "version": ">= 41.0.0, < 41.0.4"}]}], "references": [{"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h", "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a", "name": "https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.rs/http/1.4.0/http/header/#limitations", "name": "https://docs.rs/http/1.4.0/http/header/#limitations", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6", "name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6", "name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4", "name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4", "name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T21:31:50.186Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27572", "state": "PUBLISHED", "dateUpdated": "2026-02-27T20:55:29.879Z", "dateReserved": "2026-02-20T17:40:28.448Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T21:31:50.186Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "FAB7C7D9-433F-4046-932B-44456BB034A3", "versionEndExcluding": "24.0.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "4AF1D021-3AC7-419E-AD0B-5C5738DC51E5", "versionEndExcluding": "36.0.6", "versionStartIncluding": "25.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "2DBCFCF3-5A70-4441-B73D-E1CE96B01BE7", "versionEndExcluding": "40.0.4", "versionStartIncluding": "37.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "9BF3C16E-C1D8-468A-9F60-9F6F45DA98E3", "versionEndExcluding": "41.0.4", "versionStartIncluding": "41.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime."}], "id": "CVE-2026-27572", "lastModified": "2026-02-25T15:36:36.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T22:16:32.687", "references": [{"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://docs.rs/http/1.4.0/http/header/#limitations"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "wasmtime: Wasmtime: Denial of Service via excessive HTTP header fields", "id": "2442485", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442485"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27572", "package_state": [{"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Fix deferred", "package_name": "rhcl-1/wasm-shim-rhel9", "product_name": "Red Hat Connectivity Link 1"}], "public_date": "2026-02-24T21:31:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27572\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27572\nhttps://docs.rs/http/1.4.0/http/header/#limitations\nhttps://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a\nhttps://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6\nhttps://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6\nhttps://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4\nhttps://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,24.0.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.0.0,36.0.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[37.0.0,40.0.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[41.0.0,41.0.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wasmtime", "source": "cna", "vendor": "bytecodealliance"}, "product": "wasmtime", "vendor": "bytecodealliance"}], "analysis": {"en": {"generated_at": "2026-04-18T10:51:59.172016+00:00", "value": {"mitigation_remediation": ["Update Wasmtime to a fixed release (24.0.6, 36.0.6, 40.0.4, 41.0.4, or 42.0.0 or later), ensuring all embedded instances use the new binary.", "Validate HTTP headers on the client side to avoid sending an excessive number of fields to Wasmtime, thereby mitigating potential crashes without requiring a runtime upgrade.", "Limit HTTP headers at the network layer via a reverse proxy or firewall to prevent unwieldy header sets from reaching Wasmtime."], "summary": {"action": "Patch", "impact": "Denial of Service via panic in WASM runtime"}, "threat_synthesis": {"affected_systems": "The issue affects the BytecodeAlliance Wasmtime product in all releases older than 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0. Any embedding or deployment of Wasmtime that has not been updated to at least one of the patched releases is susceptible.", "description_and_impact": "Wasmtime, a WebAssembly runtime, contains a flaw in the handling of the wasi:http/types.fields resource that triggers a panic when a client provides an excessive number of HTTP header fields. The panic causes the Wasmtime process to terminate abruptly, effectively denying service to any request or application using the runtime. This failure mode is a classic example of CWE\u2011770 \u2013 Excessive Resource Consumption, where unbounded input leads to resource exhaustion and a crash.", "risk_and_exploitability": "With a CVSS score of 6.9 and an EPSS estimate of less than 1\u202f%, the vulnerability is considered moderate in severity and likely has low to moderate exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, as an attacker can craft HTTP requests with an overlarge number of header fields to trigger the panic in a Wasmtime\u2010based service. Once exploited, the host process or application crashes, resulting in a denial of service for legitimate users."}}}}, "created": "2026-02-25T11:35:27.287543+00:00", "updated": "2026-04-18T11:00:05.738330+00:00", "vendors": ["bytecodealliance", "bytecodealliance$PRODUCT$wasmtime"]}