{"id":"CVE-2026-27572","summary":"Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance","details":"Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime.","aliases":["GHSA-243v-98vx-264h","RUSTSEC-2026-0021"],"modified":"2026-04-10T05:37:13.331095Z","published":"2026-02-24T21:31:50.186Z","related":["CGA-4c8q-mj8w-cjwx"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27572.json","cwe_ids":["CWE-770"]},"references":[{"type":"WEB","url":"https://docs.rs/http/1.4.0/http/header/#limitations"},{"type":"WEB","url":"https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6"},{"type":"WEB","url":"https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6"},{"type":"WEB","url":"https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4"},{"type":"WEB","url":"https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27572.json"},{"type":"ADVISORY","url":"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27572"},{"type":"FIX","url":"https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bytecodealliance/wasmtime","events":[{"introduced":"0"},{"fixed":"f18f06e6dea00a78c06913061d952b26ed700b92"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"24.0.6"}]}},{"type":"GIT","repo":"https://github.com/bytecodealliance/wasmtime","events":[{"introduced":"0b195ef5db76c02fb5392ec1418c58bdc5537d41"},{"fixed":"f2054e0911f55af50686bee4da39d15308e14aec"}],"database_specific":{"versions":[{"introduced":"25.0.0"},{"fixed":"36.0.6"}]}},{"type":"GIT","repo":"https://github.com/bytecodealliance/wasmtime","events":[{"introduced":"7b3d6ae79e9153a2477668062f5622c10333925f"},{"fixed":"dc38c5b110862df44e9934ec90dc45e875f18835"}],"database_specific":{"versions":[{"introduced":"37.0.0"},{"fixed":"40.0.4"}]}},{"type":"GIT","repo":"https://github.com/bytecodealliance/wasmtime","events":[{"introduced":"3dda916921536c2b5233ec98315b6d05c793a34b"},{"fixed":"d938a9df47c8e62014c1a12571547411ede6ff5e"}],"database_specific":{"versions":[{"introduced":"41.0.0"},{"fixed":"41.0.4"}]}}],"versions":["cranelift-v0.60.0","cranelift-v0.61.0","cranelift-v0.69.0","v0.12.0","v0.16.0","v0.17.0","v0.18.0","v0.19.0","v0.20.0","v0.21.0","v0.22.0","v0.23.0","v0.24.0","v0.25.0","v0.26.0","v0.27.0","v0.28.0","v0.29.0","v0.30.0","v0.31.0","v0.32.0","v0.33.0","v0.34.0","v0.35.0","v24.0.0","v24.0.1","v24.0.2","v24.0.3","v24.0.4","v24.0.5","v41.0.0","v41.0.1","v41.0.2","v41.0.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27572.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"}]}