{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27887", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T15:19:29.716Z", "datePublished": "2026-02-26T00:55:53.360Z", "dateUpdated": "2026-02-26T14:34:29.169Z"}, "containers": {"cna": {"title": "Spin has memory leaks in various WIT interfaces", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-774", "lang": "en", "description": "CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/spinframework/spin/security/advisories/GHSA-mv4f-6ffm-32wx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/spinframework/spin/security/advisories/GHSA-mv4f-6ffm-32wx"}], "affected": [{"vendor": "spinframework", "product": "spin", "versions": [{"version": "< 3.6.1", "status": "affected"}]}, {"vendor": "spinframework", "product": "SpinKube", "versions": [{"version": "< 0.6.2", "status": "affected"}]}, {"vendor": "spinframework", "product": "containerd-shim-spin", "versions": [{"version": "< 0.22.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:55:53.360Z"}, "descriptions": [{"lang": "en", "value": "Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g. tables with many rows or large content bodies), Spin may in some cases attempt to buffer the entire response before delivering it to the guest, which can lead to the host process running out of memory, panicking, and crashing. In addition, a malicious guest application could incrementally insert a large number of rows or values into a database and then retrieve them all in a single query, leading to large host allocations. Spin 3.6.1, SpinKube 0.6.2, and `containerd-shim-spin` 0.22.1 have been patched to address the issue. As a workaround, configure Spin to only allow access to trusted databases and HTTP servers which limit response sizes."}], "source": {"advisory": "GHSA-mv4f-6ffm-32wx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:34:14.519689Z", "id": "CVE-2026-27887", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:34:29.169Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T14:34:14.519689Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:34:22.023Z"}}], "cna": {"title": "Spin has memory leaks in various WIT interfaces", "source": {"advisory": "GHSA-mv4f-6ffm-32wx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "spinframework", "product": "spin", "versions": [{"status": "affected", "version": "< 3.6.1"}]}, {"vendor": "spinframework", "product": "SpinKube", "versions": [{"status": "affected", "version": "< 0.6.2"}]}, {"vendor": "spinframework", "product": "containerd-shim-spin", "versions": [{"status": "affected", "version": "< 0.22.1"}]}], "references": [{"url": "https://github.com/spinframework/spin/security/advisories/GHSA-mv4f-6ffm-32wx", "name": "https://github.com/spinframework/spin/security/advisories/GHSA-mv4f-6ffm-32wx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g. tables with many rows or large content bodies), Spin may in some cases attempt to buffer the entire response before delivering it to the guest, which can lead to the host process running out of memory, panicking, and crashing. In addition, a malicious guest application could incrementally insert a large number of rows or values into a database and then retrieve them all in a single query, leading to large host allocations. Spin 3.6.1, SpinKube 0.6.2, and `containerd-shim-spin` 0.22.1 have been patched to address the issue. As a workaround, configure Spin to only allow access to trusted databases and HTTP servers which limit response sizes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-774", "description": "CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:55:53.360Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27887", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:34:29.169Z", "dateReserved": "2026-02-24T15:19:29.716Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T00:55:53.360Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g. tables with many rows or large content bodies), Spin may in some cases attempt to buffer the entire response before delivering it to the guest, which can lead to the host process running out of memory, panicking, and crashing. In addition, a malicious guest application could incrementally insert a large number of rows or values into a database and then retrieve them all in a single query, leading to large host allocations. Spin 3.6.1, SpinKube 0.6.2, and `containerd-shim-spin` 0.22.1 have been patched to address the issue. As a workaround, configure Spin to only allow access to trusted databases and HTTP servers which limit response sizes."}, {"lang": "es", "value": "Spin es una herramienta de desarrollo de c\u00f3digo abierto para construir y ejecutar aplicaciones sin servidor impulsadas por WebAssembly. Cuando Spin est\u00e1 configurado para permitir conexiones a una base de datos o servidor web que podr\u00eda devolver respuestas de tama\u00f1o ilimitado (p. ej., tablas con muchas filas o cuerpos de contenido grandes), Spin puede, en algunos casos, intentar almacenar en b\u00fafer la respuesta completa antes de entregarla al invitado, lo que puede llevar a que el proceso anfitri\u00f3n se quede sin memoria, entre en p\u00e1nico y se bloquee. Adem\u00e1s, una aplicaci\u00f3n invitada maliciosa podr\u00eda insertar incrementalmente un gran n\u00famero de filas o valores en una base de datos y luego recuperarlos todos en una sola consulta, lo que llevar\u00eda a grandes asignaciones del anfitri\u00f3n. Spin 3.6.1, SpinKube 0.6.2 y 'containerd-shim-spin' 0.22.1 han sido parcheados para abordar el problema. Como soluci\u00f3n alternativa, configure Spin para permitir el acceso solo a bases de datos y servidores HTTP de confianza que limiten los tama\u00f1os de respuesta."}], "id": "CVE-2026-27887", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:20.360", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/spinframework/spin/security/advisories/GHSA-mv4f-6ffm-32wx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}, {"lang": "en", "value": "CWE-774"}, {"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.22.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "containerd-shim-spin", "source": "cna", "vendor": "spinframework"}, "product": "containerd-shim-spin", "vendor": "spinframework"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "spin", "source": "cna", "vendor": "spinframework"}, "product": "spin", "vendor": "spinframework"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.6.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SpinKube", "source": "cna", "vendor": "spinframework"}, "product": "spinkube", "vendor": "spinframework"}], "analysis": {"en": {"generated_at": "2026-04-18T17:37:21.556703+00:00", "value": {"mitigation_remediation": ["Upgrade to Spin\u202f3.6.1 or later, SpinKube\u202f0.6.2 or later, and containerd\u2011shim\u2011spin\u202f0.22.1 or later to apply the fix.", "Configure Spin to allow access only to trusted databases and HTTP servers that enforce response size limits, preventing unbounded data from being requested.", "Set resource limits on the Spin host or container to protect against runaway memory consumption, ensuring the host process does not exhaust available RAM."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via Host Process Crash due to Memory Exhaustion"}, "threat_synthesis": {"affected_systems": "Vulnerable versions include Spin prior to 3.6.1, SpinKube prior to 0.6.2, and containerd\u2011shim\u2011spin prior to 0.22.1. These releases may buffer unbounded responses when configured to connect to databases or HTTP servers that can produce very large payloads. The patched releases\u2014Spin\u202f3.6.1, SpinKube\u202f0.6.2, and containerd\u2011shim\u2011spin\u202f0.22.1\u2014implement safeguards that prevent the host from allocating excessive memory.", "description_and_impact": "Spin buffers entire responses from databases or HTTP servers that can return unbounded data. If a response grows larger than the host\u2019s available memory, Spin may allocate memory equal to the response size, leading to an out\u2011of\u2011memory condition. This scenario represents a resource exhaustion vulnerability (CWE\u2011770) and can trigger a panic or crash (CWE\u2011774). The large allocations also involve memory usage beyond expected limits (CWE\u2011789). Consequently, the host process crashes, denying availability to all running serverless functions.", "risk_and_exploitability": "The CVSS score of 6.9 indicates medium severity while the EPSS score of less than 1\u202f% indicates a very low but nonzero probability that this vulnerability will be exploited. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation. Based on the description, it is inferred that an attacker would need to control or influence a data source that can produce large responses, then trigger a request that generates a payload larger than the host memory. The attack path involves Spin allocating memory for the entire response, exhausting memory, and causing the host process to crash. Mitigation requires applying the patch or restricting access to trusted, size\u2011limited servers."}}}}, "created": "2026-02-26T13:10:12.485861+00:00", "updated": "2026-04-18T17:45:06.057036+00:00", "vendors": ["spinframework", "spinframework$PRODUCT$containerd-shim-spin", "spinframework$PRODUCT$spin", "spinframework$PRODUCT$spinkube"]}