CVE-2026-27204
Awaiting Analysis Awaiting Analysis - Queue
Resource Exhaustion DoS in Wasmtime WASI Host Interfaces

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 have all been released with the fix for this issue. These versions do not prevent this issue in their default configuration to avoid breaking preexisting behaviors. All versions of Wasmtime have appropriate knobs to prevent this behavior, and Wasmtime 42.0.0-and-later will have these knobs tuned by default to prevent this issue from happening. There are no known workarounds for this issue without upgrading. Embedders are recommended to upgrade and configure their embeddings as necessary to prevent possibly-malicious guests from triggering this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27204
EUVD
EUVD-2026-8568
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
bytecodealliance wasmtime to 24.0.6 (exc)
bytecodealliance wasmtime From 25.0.0 (inc) to 36.0.6 (exc)
bytecodealliance wasmtime From 37.0.0 (inc) to 40.0.4 (exc)
bytecodealliance wasmtime From 41.0.0 (inc) to 41.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-774 The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Wasmtime, a runtime for WebAssembly, specifically its implementation of WASI host interfaces. Prior to certain fixed versions, Wasmtime did not properly limit resource allocations requested by guest programs. This flaw allows a guest to exhaust host resources, leading to a Denial of Service (DoS) condition.

The issue arises because Wasmtime's host interface accepts resource requests from guests without adequate restrictions, enabling potentially malicious guests to consume excessive resources on the host system.

Fixed versions of Wasmtime have been released that include configuration knobs to prevent this behavior, and newer versions tune these knobs by default to mitigate the vulnerability.

Impact Analysis

This vulnerability can lead to a Denial of Service (DoS) on the host system running Wasmtime. A malicious guest can exhaust host resources by requesting excessive allocations, potentially causing the host to become unresponsive or crash.

Such an impact can disrupt services relying on Wasmtime, degrade system performance, and cause downtime until the issue is resolved.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Wasmtime to one of the fixed versions: 24.0.6, 36.0.6, 40.0.4, 41.0.4, or 42.0.0 or later.

Additionally, configure Wasmtime embeddings to enable the appropriate resource allocation limits (knobs) to prevent guest-controlled resource exhaustion.

Note that the fixed versions do not enable these limits by default to avoid breaking existing behaviors, so manual configuration is necessary until version 42.0.0-and-later where these knobs are tuned by default.

There are no known workarounds without upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27204. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart