CVE-2026-27204
Resource Exhaustion DoS in Wasmtime WASI Host Interfaces
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bytecodealliance | wasmtime | to 24.0.6 (exc) |
| bytecodealliance | wasmtime | From 25.0.0 (inc) to 36.0.6 (exc) |
| bytecodealliance | wasmtime | From 37.0.0 (inc) to 40.0.4 (exc) |
| bytecodealliance | wasmtime | From 41.0.0 (inc) to 41.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-774 | The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Wasmtime, a runtime for WebAssembly, specifically its implementation of WASI host interfaces. Prior to certain fixed versions, Wasmtime did not properly limit resource allocations requested by guest programs. This flaw allows a guest to exhaust host resources, leading to a Denial of Service (DoS) condition.
The issue arises because Wasmtime's host interface accepts resource requests from guests without adequate restrictions, enabling potentially malicious guests to consume excessive resources on the host system.
Fixed versions of Wasmtime have been released that include configuration knobs to prevent this behavior, and newer versions tune these knobs by default to mitigate the vulnerability.
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) on the host system running Wasmtime. A malicious guest can exhaust host resources by requesting excessive allocations, potentially causing the host to become unresponsive or crash.
Such an impact can disrupt services relying on Wasmtime, degrade system performance, and cause downtime until the issue is resolved.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Wasmtime to one of the fixed versions: 24.0.6, 36.0.6, 40.0.4, 41.0.4, or 42.0.0 or later.
Additionally, configure Wasmtime embeddings to enable the appropriate resource allocation limits (knobs) to prevent guest-controlled resource exhaustion.
Note that the fixed versions do not enable these limits by default to avoid breaking existing behaviors, so manual configuration is necessary until version 42.0.0-and-later where these knobs are tuned by default.
There are no known workarounds without upgrading.