CVE-2026-27195
Published: 24 February 2026
Summary
CVE-2026-27195 is a high-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Bytecodealliance Wasmtime. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Provides defined handling (alert and additional actions) for the exceptional condition of audit logging failure.
Supplies a concrete handling action (safe mode) for exceptional conditions, mitigating risks from improper or absent handling that could allow continued attacks.
By preparing users for contingency scenarios, the control promotes proper handling of exceptional conditions instead of default or unsafe behaviors.
An updated contingency plan defines current actions for exceptional conditions, reducing the window for attackers to exploit improper handling leading to system failure.
Procedures ensure proper handling of exceptional conditions to support effective incident response.
Incident response testing confirms proper handling of exceptional conditions to limit exploit impact.
Gives users guidance on incident handling, reducing improper handling of exceptional conditions that could stem from exploited weaknesses.
Enforces structured response to exceptional conditions so the system cannot remain in an unsafe state.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote exploitation of the public-facing Wasmtime runtime (T1190) via malicious WASM component triggers application/system crash for DoS (T1499.004).
NVD Description
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a…
more
bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding drops the `Future` after polling it once. This leaves the component instance in a non-reenterable state since the call never had a chance to complete. Fourth, the host embedding calls `[Typed]Func::call_async` again, polling the returned `Future`. Since the component instance cannot be entered at this point, the call traps, but not before allocating a task and thread for the call. Fifth, the host embedding ignores the trap and drops the `Future`. This panics due to the runtime attempting to dispose of the task created above, which panics since the thread has not yet exited. When a host embedder using the affected versions of Wasmtime calls `wasmtime::component::[Typed]Func::call_async` on a guest export and then drops the returned future without waiting for it to resolve, and then does so again with the same component instance, Wasmtime will panic. Embeddings that have the `component-model-async` compile-time feature disabled are unaffected. Wasmtime 40.0.4 and 41.0.4 have been patched to fix this issue. Versions 42.0.0 and later are not affected. If an embedding is not actually using any component-model-async features then disabling the `component-model-async` Cargo feature can work around this issue. This issue can also be worked around by either ensuring every `call_async` future is awaited until it completes or refraining from using the `Store` again after dropping a not-yet-resolved `call_async` future.
Deeper analysisAI
CVE-2026-27195 is a denial-of-service vulnerability in Wasmtime, a runtime for WebAssembly, affecting versions starting from 39.0.0 where the `component-model-async` feature is enabled by default. The issue stems from a bug in the new implementation of `[Typed]Func::call_async`, which allows calling async-typed guest export functions. Under specific conditions, this leads to a runtime panic: the host embedding calls `call_async` on a component-exported function and polls the returned Future once; the component yields control (e.g., via a host function wrapped with `LinkerInstance::func_wrap_async` or an epoch interruption); the host drops the Future without resolution; a subsequent `call_async` on the same instance traps after allocating resources; and dropping the second Future triggers a panic during task disposal.
The vulnerability can be exploited by remote attackers with no privileges over hosts embedding Wasmtime in network-accessible services running affected versions with `component-model-async` enabled. A malicious WebAssembly component can induce the panic sequence if the host implementation prematurely drops an unresolved `call_async` Future and reattempts the call on the same instance, resulting in a crash of the Wasmtime runtime and denial of service (CVSS 3.1 score of 7.5, with high availability impact and no confidentiality or integrity effects; CWE-755).
Patches are available in Wasmtime 40.0.4 and 41.0.4, while versions 42.0.0 and later are unaffected. Embeddings not using component-model-async features can disable that Cargo feature as a workaround. Additional mitigations include ensuring all `call_async` Futures are awaited to completion or avoiding reuse of the `Store` after dropping an unresolved Future, as detailed in the Wasmtime release notes and fix commits.
Details
- CWE(s)