CVE-2026-27195: CWE-755: Improper Handling of Exceptional Conditions in bytecodealliance wasmtime
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding drops the `Future` after polling it once. This leaves the component instance in a non-reenterable state since the call never had a chance to complete. Fourth, the host embedding calls `[Typed]Func::call_async` again, polling the returned `Future`. Since the component instance cannot be entered at this point, the call traps, but not before allocating a task and thread for the call. Fifth, the host embedding ignores the trap and drops the `Future`. This panics due to the runtime attempting to dispose of the task created above, which panics since the thread has not yet exited. When a host embedder using the affected versions of Wasmtime calls `wasmtime::component::[Typed]Func::call_async` on a guest export and then drops the returned future without waiting for it to resolve, and then does so again with the same component instance, Wasmtime will panic. Embeddings that have the `component-model-async` compile-time feature disabled are unaffected. Wasmtime 40.0.4 and 41.0.4 have been patched to fix this issue. Versions 42.0.0 and later are not affected. If an embedding is not actually using any component-model-async features then disabling the `component-model-async` Cargo feature can work around this issue. This issue can also be worked around by either ensuring every `call_async` future is awaited until it completes or refraining from using the `Store` again after dropping a not-yet-resolved `call_async` future.
AI Analysis
Technical Summary
CVE-2026-27195 is a vulnerability in the Wasmtime WebAssembly runtime introduced with the default enablement of the component-model-async feature starting in version 39.0.0. This feature introduced a new implementation of the asynchronous function call interface, [Typed]Func::call_async, which allows host embeddings to invoke async-typed guest export functions. The vulnerability occurs when the host calls call_async on a component-exported function and polls the returned Future once, then the guest function yields control to the async runtime (e.g., Tokio) either due to an async host function call or epoch interruption. If the host then drops the Future without awaiting its completion and subsequently calls call_async again on the same component instance, the component enters a non-reenterable state. The second call traps but still allocates a task and thread. When the host ignores the trap and drops the Future again, Wasmtime panics because it attempts to dispose of a task whose thread has not exited, causing a runtime panic. This improper handling of exceptional conditions (CWE-755) can lead to a denial-of-service via host application crashes. The vulnerability affects Wasmtime versions >=39.0.0 and <40.0.4, and >=41.0.0 and <41.0.4. Versions 40.0.4, 41.0.4, and later have patched this issue. Workarounds include disabling the component-model-async Cargo feature if unused or ensuring all call_async Futures are awaited until completion, or refraining from reusing the Store after dropping unresolved Futures. The vulnerability requires low privileges but user interaction and careful timing to trigger. No known exploits have been reported in the wild.
Potential Impact
The primary impact of CVE-2026-27195 is denial-of-service caused by runtime panics in host applications embedding Wasmtime with the component-model-async feature enabled. This can lead to application crashes, potentially disrupting services that rely on WebAssembly components for execution. Since Wasmtime is used in cloud-native environments, edge computing, and serverless platforms, affected applications may experience instability or downtime. The vulnerability does not directly lead to code execution or data leakage but can degrade system availability and reliability. Organizations embedding Wasmtime in critical infrastructure or high-availability systems may face operational disruptions. The requirement for dropping unresolved Futures and reusing the Store means that only certain usage patterns are vulnerable, limiting the scope but still posing a risk to developers unaware of the issue. The medium CVSS score (6.9) reflects moderate impact with some exploitation complexity. No known active exploitation reduces immediate risk but patching is recommended to prevent future attacks.
Mitigation Recommendations
1. Upgrade Wasmtime to version 40.0.4, 41.0.4, or later where the vulnerability is patched. 2. If the component-model-async feature is not used, disable it at compile time via Cargo features to avoid exposure. 3. Ensure that all asynchronous calls made via [Typed]Func::call_async are awaited to completion before dropping their Futures. 4. Avoid reusing the same Store instance after dropping a not-yet-resolved call_async Future to prevent entering a non-reenterable state. 5. Implement robust error handling around async calls to detect and recover from panics or traps gracefully. 6. Conduct code reviews and static analysis focusing on async call patterns in Wasmtime embeddings. 7. Monitor application logs for unexpected panics or crashes related to async WebAssembly calls. 8. Educate developers on proper async usage patterns with Wasmtime to prevent misuse. 9. Consider isolating Wasmtime components in separate processes or containers to limit impact of crashes. 10. Stay updated with bytecodealliance advisories for any further patches or mitigations.
Affected Countries
United States, Germany, Japan, South Korea, United Kingdom, France, Canada, Australia, Netherlands, Singapore
CVE-2026-27195: CWE-755: Improper Handling of Exceptional Conditions in bytecodealliance wasmtime
Description
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding drops the `Future` after polling it once. This leaves the component instance in a non-reenterable state since the call never had a chance to complete. Fourth, the host embedding calls `[Typed]Func::call_async` again, polling the returned `Future`. Since the component instance cannot be entered at this point, the call traps, but not before allocating a task and thread for the call. Fifth, the host embedding ignores the trap and drops the `Future`. This panics due to the runtime attempting to dispose of the task created above, which panics since the thread has not yet exited. When a host embedder using the affected versions of Wasmtime calls `wasmtime::component::[Typed]Func::call_async` on a guest export and then drops the returned future without waiting for it to resolve, and then does so again with the same component instance, Wasmtime will panic. Embeddings that have the `component-model-async` compile-time feature disabled are unaffected. Wasmtime 40.0.4 and 41.0.4 have been patched to fix this issue. Versions 42.0.0 and later are not affected. If an embedding is not actually using any component-model-async features then disabling the `component-model-async` Cargo feature can work around this issue. This issue can also be worked around by either ensuring every `call_async` future is awaited until it completes or refraining from using the `Store` again after dropping a not-yet-resolved `call_async` future.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-27195 is a vulnerability in the Wasmtime WebAssembly runtime introduced with the default enablement of the component-model-async feature starting in version 39.0.0. This feature introduced a new implementation of the asynchronous function call interface, [Typed]Func::call_async, which allows host embeddings to invoke async-typed guest export functions. The vulnerability occurs when the host calls call_async on a component-exported function and polls the returned Future once, then the guest function yields control to the async runtime (e.g., Tokio) either due to an async host function call or epoch interruption. If the host then drops the Future without awaiting its completion and subsequently calls call_async again on the same component instance, the component enters a non-reenterable state. The second call traps but still allocates a task and thread. When the host ignores the trap and drops the Future again, Wasmtime panics because it attempts to dispose of a task whose thread has not exited, causing a runtime panic. This improper handling of exceptional conditions (CWE-755) can lead to a denial-of-service via host application crashes. The vulnerability affects Wasmtime versions >=39.0.0 and <40.0.4, and >=41.0.0 and <41.0.4. Versions 40.0.4, 41.0.4, and later have patched this issue. Workarounds include disabling the component-model-async Cargo feature if unused or ensuring all call_async Futures are awaited until completion, or refraining from reusing the Store after dropping unresolved Futures. The vulnerability requires low privileges but user interaction and careful timing to trigger. No known exploits have been reported in the wild.
Potential Impact
The primary impact of CVE-2026-27195 is denial-of-service caused by runtime panics in host applications embedding Wasmtime with the component-model-async feature enabled. This can lead to application crashes, potentially disrupting services that rely on WebAssembly components for execution. Since Wasmtime is used in cloud-native environments, edge computing, and serverless platforms, affected applications may experience instability or downtime. The vulnerability does not directly lead to code execution or data leakage but can degrade system availability and reliability. Organizations embedding Wasmtime in critical infrastructure or high-availability systems may face operational disruptions. The requirement for dropping unresolved Futures and reusing the Store means that only certain usage patterns are vulnerable, limiting the scope but still posing a risk to developers unaware of the issue. The medium CVSS score (6.9) reflects moderate impact with some exploitation complexity. No known active exploitation reduces immediate risk but patching is recommended to prevent future attacks.
Mitigation Recommendations
1. Upgrade Wasmtime to version 40.0.4, 41.0.4, or later where the vulnerability is patched. 2. If the component-model-async feature is not used, disable it at compile time via Cargo features to avoid exposure. 3. Ensure that all asynchronous calls made via [Typed]Func::call_async are awaited to completion before dropping their Futures. 4. Avoid reusing the same Store instance after dropping a not-yet-resolved call_async Future to prevent entering a non-reenterable state. 5. Implement robust error handling around async calls to detect and recover from panics or traps gracefully. 6. Conduct code reviews and static analysis focusing on async call patterns in Wasmtime embeddings. 7. Monitor application logs for unexpected panics or crashes related to async WebAssembly calls. 8. Educate developers on proper async usage patterns with Wasmtime to prevent misuse. 9. Consider isolating Wasmtime components in separate processes or containers to limit impact of crashes. 10. Stay updated with bytecodealliance advisories for any further patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-18T19:47:02.154Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699e178ab7ef31ef0b4219f4
Added to database: 2/24/2026, 9:26:34 PM
Last enriched: 3/4/2026, 1:52:33 AM
Last updated: 4/10/2026, 5:53:12 PM
Views: 170
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.