CVE-2026-27195
Awaiting Analysis Awaiting Analysis - Queue
Panic Vulnerability in Wasmtime Async Component Calls

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding drops the `Future` after polling it once. This leaves the component instance in a non-reenterable state since the call never had a chance to complete. Fourth, the host embedding calls `[Typed]Func::call_async` again, polling the returned `Future`. Since the component instance cannot be entered at this point, the call traps, but not before allocating a task and thread for the call. Fifth, the host embedding ignores the trap and drops the `Future`. This panics due to the runtime attempting to dispose of the task created above, which panics since the thread has not yet exited. When a host embedder using the affected versions of Wasmtime calls `wasmtime::component::[Typed]Func::call_async` on a guest export and then drops the returned future without waiting for it to resolve, and then does so again with the same component instance, Wasmtime will panic. Embeddings that have the `component-model-async` compile-time feature disabled are unaffected. Wasmtime 40.0.4 and 41.0.4 have been patched to fix this issue. Versions 42.0.0 and later are not affected. If an embedding is not actually using any component-model-async features then disabling the `component-model-async` Cargo feature can work around this issue. This issue can also be worked around by either ensuring every `call_async` future is awaited until it completes or refraining from using the `Store` again after dropping a not-yet-resolved `call_async` future.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-05-07
AI Q&A
2026-02-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27195
EUVD
EUVD-2026-8567
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bytecodealliance wasmtime From 41.0.0 (inc) to 41.0.4 (exc)
bytecodealliance wasmtime From 39.0.0 (inc) to 40.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-755 The product does not handle or incorrectly handles an exceptional condition.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Wasmtime, a runtime for WebAssembly, specifically when using the component-model-async feature enabled by default starting from version 39.0.0. The issue arises when the host embedding calls an asynchronous function exported by a component using [Typed]Func::call_async, polls the returned Future once, then drops it without waiting for completion. If the component yields control to the async runtime during this call and the Future is dropped prematurely, the component instance enters a non-reenterable state. Subsequent calls to call_async on the same instance cause a trap and eventually lead to a panic due to improper disposal of tasks and threads created during the call.

This bug can cause Wasmtime to panic when the host embedding ignores the trap and drops the Future again. The problem affects versions 39.0.0 through 40.0.3 and 41.0.3, with patches applied in versions 40.0.4 and 41.0.4. Versions 42.0.0 and later are not affected. Workarounds include disabling the component-model-async feature or ensuring every call_async Future is awaited until completion.


How can this vulnerability impact me? :

This vulnerability can cause the Wasmtime runtime to panic unexpectedly when asynchronous guest export functions are called and their Futures are dropped prematurely. This panic can disrupt the normal operation of applications embedding Wasmtime, potentially leading to crashes or denial of service conditions.

If your application relies on Wasmtime with the component-model-async feature enabled and does not properly await asynchronous calls, it may experience instability or unexpected termination, impacting reliability and availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Wasmtime to version 40.0.4, 41.0.4, or later versions such as 42.0.0 and beyond, which have the issue fixed.

If upgrading is not immediately possible, you can work around the issue by disabling the `component-model-async` Cargo feature if your embedding does not use any component-model-async features.

Alternatively, ensure that every `call_async` future is awaited until it completes, or avoid using the Store again after dropping a not-yet-resolved `call_async` future.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart