CVE-2026-27204 · threatengine.sh

Home/CVE/Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implemen

CVE

CVE-2026-27204

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implemen

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests.

This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors.

All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue.

MEDIUM · CVSS 6.5 EPSS 0.00093

Monitor

No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-400Uncontrolled Resource Consumption
CWE-770Allocation of Resources Without Limits or Throttling
CWE-770Allocation of Resources Without Limits or Throttling
CWE-774Allocation of File Descriptors or Handles Without Limits or Throttling
CWE-789Memory Allocation with Excessive Size Value

▤

Affected Products & Versions

4

bytecodealliance wasmtime< 24.0.6
bytecodealliance wasmtime>= 25.0.0 and < 36.0.6
bytecodealliance wasmtime>= 37.0.0 and < 40.0.4
bytecodealliance wasmtime>= 41.0.0 and < 41.0.4

▤

Affected Packages

1

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

crates.io wasmtime MODERATE fixed in 24.0.6

▣

Scoring & Timeline

6.5

MEDIUM · CVSS v3.1 · security-advisories@github.com

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD24 Feb 2026 · 10:16 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC triage · cisa-vulnrichment

Exploitation

none

Automatable

no

Technical impact

partial

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

🔗

References & Sources

7

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://docs.rs/wasmtime-wasi/latest/wasmtime_wasi/struct.WasiCtxBuilder.html#method.max_random_sizeProduct

https://docs.rs/wasmtime/latest/wasmtime/component/struct.ResourceTable.html#method.set_max_capacityProduct

https://docs.rs/wasmtime/latest/wasmtime/struct.Store.html#method.set_hostcall_fuelProduct

https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.htmlProduct

https://github.com/bytecodealliance/wasmtime/issues/11552Issue Tracking

https://github.com/bytecodealliance/wasmtime/pull/12599Issue TrackingThird Party Advisory

Show all 7 references

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4wThird Party Advisory

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin