CVE-2026-27204 (GCVE-0-2026-27204)
Vulnerability from cvelistv5
Published
2026-02-24 21:23
Modified
2026-02-27 20:54
Severity ?
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CWE
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-770 - Allocation of Resources Without Limits or Throttling
  • CWE-774 - Allocation of File Descriptors or Handles Without Limits or Throttling
  • CWE-789 - Memory Allocation with Excessive Size Value
Summary
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue.
References
Impacted products
Vendor Product Version
bytecodealliance wasmtime Version: < 24.0.6
Version: >= 25.0.0, < 36.0.6
Version: >= 37.0.0, < 40.0.4
Version: >= 41.0.0, < 41.0.4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27204",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-27T20:54:41.376330Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-27T20:54:48.839Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wasmtime",
          "vendor": "bytecodealliance",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 24.0.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 25.0.0, \u003c 36.0.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 37.0.0, \u003c 40.0.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 41.0.0, \u003c 41.0.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime\u0027s implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-774",
              "description": "CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-24T21:23:47.007Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/issues/11552",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/issues/11552"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/pull/12599",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/pull/12599"
        },
        {
          "name": "https://docs.rs/wasmtime-wasi/latest/wasmtime_wasi/struct.WasiCtxBuilder.html#method.max_random_size",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.rs/wasmtime-wasi/latest/wasmtime_wasi/struct.WasiCtxBuilder.html#method.max_random_size"
        },
        {
          "name": "https://docs.rs/wasmtime/latest/wasmtime/component/struct.ResourceTable.html#method.set_max_capacity",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.rs/wasmtime/latest/wasmtime/component/struct.ResourceTable.html#method.set_max_capacity"
        },
        {
          "name": "https://docs.rs/wasmtime/latest/wasmtime/struct.Store.html#method.set_hostcall_fuel",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.rs/wasmtime/latest/wasmtime/struct.Store.html#method.set_hostcall_fuel"
        },
        {
          "name": "https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html"
        }
      ],
      "source": {
        "advisory": "GHSA-852m-cvvp-9p4w",
        "discovery": "UNKNOWN"
      },
      "title": "Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27204",
    "datePublished": "2026-02-24T21:23:47.007Z",
    "dateReserved": "2026-02-18T19:47:02.155Z",
    "dateUpdated": "2026-02-27T20:54:48.839Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27204\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-27T20:54:41.376330Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-27T20:54:45.833Z\"}}], \"cna\": {\"title\": \"Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion\", \"source\": {\"advisory\": \"GHSA-852m-cvvp-9p4w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"bytecodealliance\", \"product\": \"wasmtime\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 24.0.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 25.0.0, \u003c 36.0.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 37.0.0, \u003c 40.0.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 41.0.0, \u003c 41.0.4\"}]}], \"references\": [{\"url\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w\", \"name\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/bytecodealliance/wasmtime/issues/11552\", \"name\": \"https://github.com/bytecodealliance/wasmtime/issues/11552\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bytecodealliance/wasmtime/pull/12599\", \"name\": \"https://github.com/bytecodealliance/wasmtime/pull/12599\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.rs/wasmtime-wasi/latest/wasmtime_wasi/struct.WasiCtxBuilder.html#method.max_random_size\", \"name\": \"https://docs.rs/wasmtime-wasi/latest/wasmtime_wasi/struct.WasiCtxBuilder.html#method.max_random_size\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.rs/wasmtime/latest/wasmtime/component/struct.ResourceTable.html#method.set_max_capacity\", \"name\": \"https://docs.rs/wasmtime/latest/wasmtime/component/struct.ResourceTable.html#method.set_max_capacity\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.rs/wasmtime/latest/wasmtime/struct.Store.html#method.set_hostcall_fuel\", \"name\": \"https://docs.rs/wasmtime/latest/wasmtime/struct.Store.html#method.set_hostcall_fuel\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html\", \"name\": \"https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime\u0027s implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-774\", \"description\": \"CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-789\", \"description\": \"CWE-789: Memory Allocation with Excessive Size Value\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-24T21:23:47.007Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27204\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-27T20:54:48.839Z\", \"dateReserved\": \"2026-02-18T19:47:02.155Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-24T21:23:47.007Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.