CVE-2026-27195 Overview
CVE-2026-27195 is a Denial of Service vulnerability in Wasmtime, a runtime for WebAssembly. Starting with Wasmtime version 39.0.0, the component-model-async feature became enabled by default, introducing a new implementation of [Typed]Func::call_async capable of calling async-typed guest export functions. However, this implementation contains a bug that leads to a panic under specific conditions when handling dropped futures and re-entry attempts on component instances.
The vulnerability is classified under CWE-755 (Improper Handling of Exceptional Conditions), as the runtime fails to properly handle the exceptional state that arises when a call future is dropped before completion and the same component instance is subsequently reused.
Critical Impact
Attackers can cause Wasmtime to panic, leading to denial of service for applications embedding the affected WebAssembly runtime. This impacts availability of services running WebAssembly components with async functionality.
Affected Products
- Bytecodealliance Wasmtime versions 39.0.0 through 40.0.3
- Bytecodealliance Wasmtime versions 41.0.0 through 41.0.3
- Wasmtime builds with component-model-async Cargo feature enabled (default since 39.0.0)
Discovery Timeline
- 2026-02-24 - CVE-2026-27195 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27195
Vulnerability Analysis
The vulnerability exists in Wasmtime's async component model implementation, specifically within the [Typed]Func::call_async function used for calling WebAssembly guest exports asynchronously. The flaw manifests through improper exception handling when the runtime attempts to dispose of a task created during a trapped call sequence.
The panic occurs because of a race condition in task lifecycle management. When a host embedding drops a Future after the component instance has entered a non-reenterable state, and then attempts another call_async, the runtime allocates a new task and thread for the call. Upon trapping (as expected due to the non-reenterable state), if the host ignores this trap and drops the Future, the runtime attempts to dispose of the task while the associated thread has not yet exited, triggering a panic.
This vulnerability affects embeddings that use async component model features and do not properly await futures to completion. The attack requires network access but involves high attack complexity due to the specific sequence of operations needed to trigger the panic condition.
Root Cause
The root cause is improper exception handling (CWE-755) in the concurrent runtime component of Wasmtime. Specifically, the implementation fails to properly synchronize task disposal with thread lifecycle when handling trapped async calls. The runtime does not account for the scenario where a call traps due to a non-reenterable component state, leaving a task allocated with a thread that has not exited.
The fix introduces additional resource management controls including max_resources limits on simultaneously created guest resources and hostcall_fuel to limit guest-host data transfer, providing better bounds on resource allocation during async operations.
Attack Vector
The attack vector requires a network-accessible Wasmtime embedding that exposes component model functionality. An attacker must:
- Trigger a [Typed]Func::call_async call on a guest-exported function
- Cause the component function to yield control (e.g., via epoch interruption or an async host function)
- Cause the host to drop the Future before completion
- Trigger another call_async on the same component instance
- Cause the host to ignore the resulting trap and drop the second Future
This sequence causes the Wasmtime runtime to panic, resulting in denial of service.
pub keyvalue_in_memory_data: Vec<KeyValuePair>,
/// Enable support for WASIp3 APIs.
pub p3: Option<bool>,
+ /// Maximum resources the guest is allowed to create simultaneously.
+ pub max_resources: Option<usize>,
+ /// Fuel to use for all hostcalls to limit guest<->host data transfer.
+ pub hostcall_fuel: Option<usize>,
+ /// Maximum value, in bytes, for a wasi-random 0.2
+ /// `get{,-insecure}-random-bytes` `len` parameter. Calls with a value
+ /// exceeding this limit will trap.
+ pub max_random_size: Option<u64>,
+ /// Maximum value, in bytes, for the contents of a wasi-http 0.2
+ /// `fields` resource (aka `headers` and `trailers`). `fields` methods
+ /// which cause the contents to exceed this size limit will trap.
+ pub max_http_fields_size: Option<usize>,
}
enum Wasi {
Source: GitHub Commit 9e51c0d
Detection Methods for CVE-2026-27195
Indicators of Compromise
- Unexpected Wasmtime runtime panics with stack traces referencing runtime/concurrent/component modules
- Application crashes following patterns of interrupted async WebAssembly calls
- Log entries indicating task disposal failures or thread synchronization errors in Wasmtime-based services
Detection Strategies
- Monitor application logs for Wasmtime panic messages, particularly those mentioning thread exit or task disposal failures
- Implement health checks that detect Wasmtime process crashes and restart patterns
- Review application code for patterns where call_async futures are dropped without being awaited to completion
Monitoring Recommendations
- Enable verbose logging for Wasmtime runtime operations in production deployments
- Set up alerting on process restarts for services embedding Wasmtime
- Monitor resource utilization patterns that might indicate repeated crash-restart cycles
How to Mitigate CVE-2026-27195
Immediate Actions Required
- Upgrade to Wasmtime version 40.0.4, 41.0.4, or 42.0.0 or later immediately
- Audit application code to ensure all call_async futures are awaited until completion
- If upgrade is not immediately possible, disable the component-model-async Cargo feature if async component model features are not in use
Patch Information
Bytecodealliance has released patched versions addressing this vulnerability:
- Wasmtime v40.0.4 - Backport fix for version 40.x series
- Wasmtime v41.0.4 - Backport fix for version 41.x series
- Versions 42.0.0 and later are not affected
The patches are available through the following commits:
- Commit 9e51c0d - 40.0.x backport
- Commit d86b007 - 41.0.x backport
For more details, see the GitHub Security Advisory GHSA-xjhv-v822-pf94.
Workarounds
- Disable the component-model-async Cargo feature if your embedding does not use async component model functionality
- Ensure every call_async future is awaited until it completes before dropping
- Refrain from reusing a Store after dropping a not-yet-resolved call_async future
# Cargo.toml - Disable component-model-async feature
[dependencies]
wasmtime = { version = "40.0", default-features = false, features = ["runtime", "component-model"] }
# Note: Explicitly exclude "component-model-async" from features list
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
