Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Wasmtime Can Crash When Handling Too Many HTTP Request Headers
CVE-2026-27572
GHSA-243v-98vx-264h
Summary
Wasmtime, a tool for running WebAssembly code, can freeze or crash if an HTTP request has too many headers. This can happen when an attacker intentionally sends a large number of headers to overwhelm the system. To fix this, update to the latest version of Wasmtime to prevent crashes and ensure smooth operation.
What to do
- Update wasmtime to version 24.0.6.
- Update wasmtime to version 36.0.6.
- Update wasmtime to version 40.0.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | wasmtime | <= 24.0.6 | 24.0.6 |
| – | wasmtime | > 25.0.0 , <= 36.0.6 | 36.0.6 |
| – | wasmtime | > 37.0.0 , <= 40.0.4 | 40.0.4 |
| bytecodealliance | wasmtime | <= 24.0.6 | – |
| bytecodealliance | wasmtime | > 25.0.0 , <= 36.0.6 | – |
| bytecodealliance | wasmtime | > 37.0.0 , <= 40.0.4 | – |
| bytecodealliance | wasmtime | > 41.0.0 , <= 41.0.4 | – |
Original title
Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance
Original description
### Impact
Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime.
### Patches
Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking.
### Workarounds
There are no known workarounds at this time, embedders are encouraged to update to a patched version of Wasmtime.
### Resources
* [Limitations of `http::HeaderMap`](https://docs.rs/http/1.4.0/http/header/#limitations)
Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-http` crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime.
### Patches
Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking.
### Workarounds
There are no known workarounds at this time, embedders are encouraged to update to a patched version of Wasmtime.
### Resources
* [Limitations of `http::HeaderMap`](https://docs.rs/http/1.4.0/http/header/#limitations)
nvd CVSS3.1
7.5
nvd CVSS4.0
6.9
Vulnerability type
CWE-770
Allocation of Resources Without Limits
- https://nvd.nist.gov/vuln/detail/CVE-2026-27572
- https://rustsec.org/advisories/RUSTSEC-2026-0021.html
- https://github.com/advisories/GHSA-243v-98vx-264h
- https://docs.rs/http/1.4.0/http/header/#limitations Not Applicable
- https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1... Patch
- https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6 Product Release Notes
- https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6 Product Release Notes
- https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4 Product Release Notes
- https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4 Product Release Notes
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-... Third Party Advisory
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026