Wasmtime's implementation of the wasi:http/types.fields resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the wasmtime-wasi-http crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime.
Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking.
There are no known workarounds at this time, embedders are encouraged to update to a patched version of Wasmtime.
| Score | Percentile |
|---|---|
| 0.03% | 7.79% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-243v-98vx-264h ↗ |
| CVE | CVE-2026-27572 ↗ |
| CWE id | Name |
|---|---|
| CWE-770 | Allocation of Resources Without Limits or Throttling |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rust | wasmtime | < 24.0.6 | 24.0.6 | — |
| rust | wasmtime | >= 25.0.0, < 36.0.6 | 36.0.6 | — |
| rust | wasmtime | >= 37.0.0, < 40.0.4 | 40.0.4 | — |