Vulnerability Details CVE-2026-27572
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 19.2%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-27572
-
cpe:2.3:a:bytecodealliance:wasmtime:0.10.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.11.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.12.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.15.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.16.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.17.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.18.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.19.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.2.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.20.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.21.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.22.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.22.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.23.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.24.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.25.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.26.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.26.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.27.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.28.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.29.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.3.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.30.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.31.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.32.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.32.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.33.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.33.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.34.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.34.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.34.2
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.2
-
cpe:2.3:a:bytecodealliance:wasmtime:0.35.3
-
cpe:2.3:a:bytecodealliance:wasmtime:0.36.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.37.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.2
-
cpe:2.3:a:bytecodealliance:wasmtime:0.38.3
-
cpe:2.3:a:bytecodealliance:wasmtime:0.39.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.39.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.4.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.40.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.40.1
-
cpe:2.3:a:bytecodealliance:wasmtime:0.6.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.8.0
-
cpe:2.3:a:bytecodealliance:wasmtime:0.9.0
-
cpe:2.3:a:bytecodealliance:wasmtime:1.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:1.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:1.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:10.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:10.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:10.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:11.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:11.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:11.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:12.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:12.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:12.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:13.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:13.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:14.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:14.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:14.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:14.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:14.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:15.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:15.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:16.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:17.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:17.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:17.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:17.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:18.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:18.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:18.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:18.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:18.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:19.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:19.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:19.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:2.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:2.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:2.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:20.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:20.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:20.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:21.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:21.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:21.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:22.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:22.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:23.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:23.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:23.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:23.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:24.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:25.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:25.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:25.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:25.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:26.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:26.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:27.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:28.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:28.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:29.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:29.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:3.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:3.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:30.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:30.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:30.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:31.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:32.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:32.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:33.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:33.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:33.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:34.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:34.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:34.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:35.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:36.0.5
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:37.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:38.0.4
-
cpe:2.3:a:bytecodealliance:wasmtime:4.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:4.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:40.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:41.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:5.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:5.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:6.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:6.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:6.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:7.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:7.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:8.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:8.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:9.0.0
-
cpe:2.3:a:bytecodealliance:wasmtime:9.0.1
-
cpe:2.3:a:bytecodealliance:wasmtime:9.0.2
-
cpe:2.3:a:bytecodealliance:wasmtime:9.0.3
-
cpe:2.3:a:bytecodealliance:wasmtime:9.0.4