CVE-2026-27572 – This vulnerability in Wasmtime's WASI HTTP impl... (How to Fix)

Q: What is the severity of CVE-2026-27572?

CVE-2026-27572 has a CVSS score of 7.5 (HIGH). This vulnerability in Wasmtime's WASI HTTP implementation causes denial of service when excessive HTTP headers are processed. The runtime panics instead of gracefully handling the condition, allowing attackers to crash applications using vulnerable Wasmtime versions. All embedders using affected Wasmtime versions are impacted.

📋 TL;DR

This vulnerability in Wasmtime's WASI HTTP implementation causes denial of service when excessive HTTP headers are processed. The runtime panics instead of gracefully handling the condition, allowing attackers to crash applications using vulnerable Wasmtime versions. All embedders using affected Wasmtime versions are impacted.

💻 Affected Systems

Products:

Wasmtime WebAssembly runtime

Versions: All versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0

Operating Systems: All platforms running Wasmtime

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the wasi:http/types.fields functionality. The vulnerability is in the wasmtime-wasi-http crate implementation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to sustained denial of service, potentially affecting multiple services if Wasmtime is used in critical infrastructure.

🟠

Likely Case

Service disruption through application crashes when malicious HTTP requests with excessive headers are received.

🟢

If Mitigated

Minimal impact with proper monitoring and rapid incident response to restart services.

🌐 Internet-Facing: HIGH - HTTP endpoints are typically internet-facing and attackers can easily craft malicious requests with excessive headers.

🏢 Internal Only: MEDIUM - Internal services could still be targeted by authenticated users or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests with excessive headers to trigger the panic condition. No authentication needed if HTTP endpoints are exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.0.6, 36.0.6, 40.0.4, 41.0.4, or 42.0.0

Vendor Advisory: https://github.com/bytecodealliance/wasmtime/security/advisories

Restart Required: Yes

Instructions:

1. Identify current Wasmtime version. 2. Update to patched version using package manager or direct download. 3. Restart all applications using Wasmtime. 4. Verify the update was successful.

🔧 Temporary Workarounds

No known workarounds

all

The vendor states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

Implement rate limiting and request filtering to block HTTP requests with excessive headers
Deploy monitoring and automated restart mechanisms to detect and recover from crashes

🔍 How to Verify

Check if Vulnerable:

Check Wasmtime version with 'wasmtime --version' and compare against affected versions

Check Version:

wasmtime --version

Verify Fix Applied:

Verify version is 24.0.6, 36.0.6, 40.0.4, 41.0.4, or 42.0.0 or higher

📡 Detection & Monitoring

Log Indicators:

Application crash logs mentioning Wasmtime panic
Error logs related to HTTP header processing failures
Sudden service termination without normal shutdown

Network Indicators:

HTTP requests with abnormally large number of headers
Repeated connection attempts to HTTP endpoints

SIEM Query:

source="application.logs" AND ("panic" OR "wasmtime" OR "wasi:http") AND ("crash" OR "terminated")

📊 Metadata

CVE ID: CVE-2026-27572

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: February 24, 2026

Last Updated: February 25, 2026

🔗 References

https://docs.rs/http/1.4.0/http/header/#limitations Not Applicable
https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a Patch
https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6 Product,Release Notes
https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6 Product,Release Notes
https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4 Product,Release Notes
https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4 Product,Release Notes
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27572, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Wasmtime by Bytecodealliance

Wasmtime by Bytecodealliance

Wasmtime by Bytecodealliance

Wasmtime by Bytecodealliance

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

No known workarounds

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities