Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion

🗓️ 24 Feb 2026 20:47:08Reported by GitHub Advisory DatabaseType

Wasmtime WASI allows guests to exhaust host resources, causing DoS via memory and allocations.

Reporter	Title	Published	Views	Family All 23
ATTACKERKB	CVE-2026-27204	24 Feb 202621:23	–	attackerkb
Chainguard	CVE-2026-27204 vulnerabilities	25 Feb 202619:29	–	cgr
Circl	CVE-2026-27204	25 Feb 202601:07	–	circl
CNNVD	wasmtime 安全漏洞	24 Feb 202600:00	–	cnnvd
CVE	CVE-2026-27204	24 Feb 202621:23	–	cve
Cvelist	CVE-2026-27204 Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion	24 Feb 202621:23	–	cvelist
Debian CVE	CVE-2026-27204	24 Feb 202621:23	–	debiancve
NVD	CVE-2026-27204	24 Feb 202622:16	–	nvd
OSV	CGA-QWVF-HP8H-3VXC	25 Feb 202617:30	–	osv
OSV	CVE-2026-27204 Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion	24 Feb 202621:23	–	osv

Vulners

Node

bytecodealliance wasmtimeRange37.0.0–40.0.4rust

bytecodealliance wasmtimeRange25.0.0–36.0.6rust

Source	Link
github	www.github.com/bytecodealliance/wasmtime/security/advisories/GHSA-852m-cvvp-9p4w
github	www.github.com/bytecodealliance/wasmtime/issues/11552
github	www.github.com/bytecodealliance/wasmtime/pull/12599
docs	www.docs.rs/wasmtime-wasi/latest/wasmtime_wasi/struct.WasiCtxBuilder.html
docs	www.docs.rs/wasmtime/latest/wasmtime/component/struct.ResourceTable.html
docs	www.docs.rs/wasmtime/latest/wasmtime/struct.Store.html
docs	www.docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-27204
rustsec	www.rustsec.org/advisories/RUSTSEC-2026-0020.html
github	www.github.com/advisories/GHSA-852m-cvvp-9p4w

27 Feb 2026 20:25Current

6Medium risk

Vulners AI Score6

CVSS 3.16.5

CVSS 46.9

EPSS0.00345

SSVC