{"id":"GHSA-243v-98vx-264h","summary":"Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance","details":"### Impact\n\nWasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime.\n\n### Patches\n\nWasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking.\n\n### Workarounds\n\nThere are no known workarounds at this time, embedders are encouraged to update to a patched version of Wasmtime.\n\n### Resources\n\n* [Limitations of `http::HeaderMap`](https://docs.rs/http/1.4.0/http/header/#limitations)","aliases":["CVE-2026-27572","RUSTSEC-2026-0021"],"modified":"2026-02-28T06:25:59.342122Z","published":"2026-02-24T21:08:06Z","related":["CGA-4c8q-mj8w-cjwx"],"database_specific":{"severity":"MODERATE","nvd_published_at":"2026-02-24T22:16:32Z","cwe_ids":["CWE-770"],"github_reviewed":true,"github_reviewed_at":"2026-02-24T21:08:06Z"},"references":[{"type":"WEB","url":"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27572"},{"type":"WEB","url":"https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a"},{"type":"WEB","url":"https://docs.rs/http/1.4.0/http/header/#limitations"},{"type":"PACKAGE","url":"https://github.com/bytecodealliance/wasmtime"},{"type":"WEB","url":"https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6"},{"type":"WEB","url":"https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6"},{"type":"WEB","url":"https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4"},{"type":"WEB","url":"https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2026-0021.html"}],"affected":[{"package":{"name":"wasmtime","ecosystem":"crates.io","purl":"pkg:cargo/wasmtime"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"24.0.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-243v-98vx-264h/GHSA-243v-98vx-264h.json"}},{"package":{"name":"wasmtime","ecosystem":"crates.io","purl":"pkg:cargo/wasmtime"},"ranges":[{"type":"SEMVER","events":[{"introduced":"25.0.0"},{"fixed":"36.0.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-243v-98vx-264h/GHSA-243v-98vx-264h.json"}},{"package":{"name":"wasmtime","ecosystem":"crates.io","purl":"pkg:cargo/wasmtime"},"ranges":[{"type":"SEMVER","events":[{"introduced":"37.0.0"},{"fixed":"40.0.4"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-243v-98vx-264h/GHSA-243v-98vx-264h.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"}]}