{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27572", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T17:40:28.448Z", "datePublished": "2026-02-24T21:31:50.186Z", "dateUpdated": "2026-02-24T21:31:50.186Z"}, "containers": {"cna": {"title": "Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h"}, {"name": "https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a"}, {"name": "https://docs.rs/http/1.4.0/http/header/#limitations", "tags": ["x_refsource_MISC"], "url": "https://docs.rs/http/1.4.0/http/header/#limitations"}, {"name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6"}, {"name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6"}, {"name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4"}, {"name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4"}], "affected": [{"vendor": "bytecodealliance", "product": "wasmtime", "versions": [{"version": "< 24.0.6", "status": "affected"}, {"version": ">= 25.0.0, < 36.0.6", "status": "affected"}, {"version": ">= 37.0.0, < 40.0.4", "status": "affected"}, {"version": ">= 41.0.0, < 41.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T21:31:50.186Z"}, "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime."}], "source": {"advisory": "GHSA-243v-98vx-264h", "discovery": "UNKNOWN"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "FAB7C7D9-433F-4046-932B-44456BB034A3", "versionEndExcluding": "24.0.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "4AF1D021-3AC7-419E-AD0B-5C5738DC51E5", "versionEndExcluding": "36.0.6", "versionStartIncluding": "25.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "2DBCFCF3-5A70-4441-B73D-E1CE96B01BE7", "versionEndExcluding": "40.0.4", "versionStartIncluding": "37.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:bytecodealliance:wasmtime:*:*:*:*:*:rust:*:*", "matchCriteriaId": "9BF3C16E-C1D8-468A-9F60-9F6F45DA98E3", "versionEndExcluding": "41.0.4", "versionStartIncluding": "41.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime."}], "id": "CVE-2026-27572", "lastModified": "2026-02-25T15:36:36.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T22:16:32.687", "references": [{"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://docs.rs/http/1.4.0/http/header/#limitations"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "wasmtime: Wasmtime: Denial of Service via excessive HTTP header fields", "id": "2442485", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442485"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27572", "package_state": [{"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Fix deferred", "package_name": "rhcl-1/wasm-shim-rhel9", "product_name": "Red Hat Connectivity Link 1"}], "public_date": "2026-02-24T21:31:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27572\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27572\nhttps://docs.rs/http/1.4.0/http/header/#limitations\nhttps://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a\nhttps://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6\nhttps://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6\nhttps://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4\nhttps://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h"], "threat_severity": "Moderate"}