CVE-2026-27195: CWE-755: Improper Handling of Exceptional Conditions in bytecodealliance wasmtime
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding drops the `Future` after polling it once. This leaves the component instance in a non-reenterable state since the call never had a chance to complete. Fourth, the host embedding calls `[Typed]Func::call_async` again, polling the returned `Future`. Since the component instance cannot be entered at this point, the call traps, but not before allocating a task and thread for the call. Fifth, the host embedding ignores the trap and drops the `Future`. This panics due to the runtime attempting to dispose of the task created above, which panics since the thread has not yet exited. When a host embedder using the affected versions of Wasmtime calls `wasmtime::component::[Typed]Func::call_async` on a guest export and then drops the returned future without waiting for it to resolve, and then does so again with the same component instance, Wasmtime will panic. Embeddings that have the `component-model-async` compile-time feature disabled are unaffected. Wasmtime 40.0.4 and 41.0.4 have been patched to fix this issue. Versions 42.0.0 and later are not affected. If an embedding is not actually using any component-model-async features then disabling the `component-model-async` Cargo feature can work around this issue. This issue can also be worked around by either ensuring every `call_async` future is awaited until it completes or refraining from using the `Store` again after dropping a not-yet-resolved `call_async` future.
AI Analysis
Technical Summary
CVE-2026-27195 is a vulnerability in the Wasmtime WebAssembly runtime, specifically in the component-model-async feature introduced as default starting with Wasmtime 39.0.0. The vulnerability stems from improper handling of exceptional conditions during asynchronous guest function calls via the [Typed]Func::call_async API. When a host embedding calls call_async on a guest export function, it receives a Future representing the asynchronous operation. If the host polls this Future once and then drops it without awaiting completion, the component instance enters a non-reenterable state because the async call never completes. Subsequent calls to call_async on the same component instance cause a trap due to the instance being non-reenterable, but before trapping, Wasmtime allocates a task and thread for the call. If the host ignores the trap and drops the Future again, the runtime panics during task disposal because the thread has not exited yet. This panic can cause a denial of service in the host application embedding Wasmtime. The issue affects Wasmtime versions >=39.0.0 and <40.0.4, and >=41.0.0 and <41.0.4. Versions 40.0.4, 41.0.4, and 42.0.0+ have patches that fix this problem. The vulnerability is classified under CWE-755 (Improper Handling of Exceptional Conditions). It requires a low privilege attacker to induce the panic by invoking asynchronous guest functions and dropping their futures prematurely. The vulnerability does not impact confidentiality or integrity but can cause availability issues due to runtime panics. Workarounds include disabling the component-model-async Cargo feature if unused or ensuring that all call_async futures are awaited to completion before reuse of the component instance or Store. The vulnerability is not known to be exploited in the wild.
Potential Impact
The primary impact of CVE-2026-27195 is denial of service (DoS) in applications embedding Wasmtime with the component-model-async feature enabled. When exploited, the runtime panics, potentially crashing the host application or causing instability. This can disrupt services relying on WebAssembly components for execution, especially in cloud-native environments, edge computing, or serverless platforms that use Wasmtime for sandboxing untrusted code. Since the vulnerability requires the host to drop asynchronous call futures prematurely and then reuse the component instance, it may be triggered inadvertently by buggy host code or maliciously by an attacker controlling inputs to the WebAssembly environment. The vulnerability does not allow code execution, data leakage, or integrity violations but can degrade availability, impacting reliability and uptime. Organizations relying on Wasmtime for critical workloads or multi-tenant environments may face service interruptions or require emergency patching. The medium CVSS score (6.9) reflects the moderate severity due to the availability impact combined with the complexity of exploitation requiring specific host behavior.
Mitigation Recommendations
1. Upgrade Wasmtime to version 40.0.4, 41.0.4, or later (42.0.0+) where the vulnerability is patched. 2. If the component-model-async feature is not required, disable it at compile time by disabling the Cargo feature to avoid exposure. 3. Ensure host embeddings always await the completion of call_async futures before dropping them or reusing the same component instance or Store. 4. Avoid dropping call_async futures prematurely; implement strict lifecycle management for asynchronous calls in the host embedding. 5. Conduct code reviews and static analysis on host applications embedding Wasmtime to detect improper async future handling patterns. 6. Monitor application logs for Wasmtime panics or traps indicative of this issue. 7. For environments using Tokio or other async runtimes, validate that async workflows correctly handle Wasmtime futures. 8. Consider isolating Wasmtime instances per request or user to limit impact scope if a panic occurs. 9. Engage with bytecodealliance community and maintainers for updates and best practices regarding async component usage. 10. Implement robust error handling around Wasmtime calls to gracefully recover from panics where possible.
Affected Countries
United States, Germany, United Kingdom, Japan, South Korea, China, India, Canada, France, Netherlands, Australia
CVE-2026-27195: CWE-755: Improper Handling of Exceptional Conditions in bytecodealliance wasmtime
Description
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation had a bug leading to a panic under certain circumstances: First, the host embedding calls `[Typed]Func::call_async` on a function exported by a component, polling the returned `Future` once. Second, the component function yields control to the async runtime (e.g. Tokio), e.g. due to a call to host function registered using `LinkerInstance::func_wrap_async` which yields, or due an epoch interruption. Third, the host embedding drops the `Future` after polling it once. This leaves the component instance in a non-reenterable state since the call never had a chance to complete. Fourth, the host embedding calls `[Typed]Func::call_async` again, polling the returned `Future`. Since the component instance cannot be entered at this point, the call traps, but not before allocating a task and thread for the call. Fifth, the host embedding ignores the trap and drops the `Future`. This panics due to the runtime attempting to dispose of the task created above, which panics since the thread has not yet exited. When a host embedder using the affected versions of Wasmtime calls `wasmtime::component::[Typed]Func::call_async` on a guest export and then drops the returned future without waiting for it to resolve, and then does so again with the same component instance, Wasmtime will panic. Embeddings that have the `component-model-async` compile-time feature disabled are unaffected. Wasmtime 40.0.4 and 41.0.4 have been patched to fix this issue. Versions 42.0.0 and later are not affected. If an embedding is not actually using any component-model-async features then disabling the `component-model-async` Cargo feature can work around this issue. This issue can also be worked around by either ensuring every `call_async` future is awaited until it completes or refraining from using the `Store` again after dropping a not-yet-resolved `call_async` future.
AI-Powered Analysis
Technical Analysis
CVE-2026-27195 is a vulnerability in the Wasmtime WebAssembly runtime, specifically in the component-model-async feature introduced as default starting with Wasmtime 39.0.0. The vulnerability stems from improper handling of exceptional conditions during asynchronous guest function calls via the [Typed]Func::call_async API. When a host embedding calls call_async on a guest export function, it receives a Future representing the asynchronous operation. If the host polls this Future once and then drops it without awaiting completion, the component instance enters a non-reenterable state because the async call never completes. Subsequent calls to call_async on the same component instance cause a trap due to the instance being non-reenterable, but before trapping, Wasmtime allocates a task and thread for the call. If the host ignores the trap and drops the Future again, the runtime panics during task disposal because the thread has not exited yet. This panic can cause a denial of service in the host application embedding Wasmtime. The issue affects Wasmtime versions >=39.0.0 and <40.0.4, and >=41.0.0 and <41.0.4. Versions 40.0.4, 41.0.4, and 42.0.0+ have patches that fix this problem. The vulnerability is classified under CWE-755 (Improper Handling of Exceptional Conditions). It requires a low privilege attacker to induce the panic by invoking asynchronous guest functions and dropping their futures prematurely. The vulnerability does not impact confidentiality or integrity but can cause availability issues due to runtime panics. Workarounds include disabling the component-model-async Cargo feature if unused or ensuring that all call_async futures are awaited to completion before reuse of the component instance or Store. The vulnerability is not known to be exploited in the wild.
Potential Impact
The primary impact of CVE-2026-27195 is denial of service (DoS) in applications embedding Wasmtime with the component-model-async feature enabled. When exploited, the runtime panics, potentially crashing the host application or causing instability. This can disrupt services relying on WebAssembly components for execution, especially in cloud-native environments, edge computing, or serverless platforms that use Wasmtime for sandboxing untrusted code. Since the vulnerability requires the host to drop asynchronous call futures prematurely and then reuse the component instance, it may be triggered inadvertently by buggy host code or maliciously by an attacker controlling inputs to the WebAssembly environment. The vulnerability does not allow code execution, data leakage, or integrity violations but can degrade availability, impacting reliability and uptime. Organizations relying on Wasmtime for critical workloads or multi-tenant environments may face service interruptions or require emergency patching. The medium CVSS score (6.9) reflects the moderate severity due to the availability impact combined with the complexity of exploitation requiring specific host behavior.
Mitigation Recommendations
1. Upgrade Wasmtime to version 40.0.4, 41.0.4, or later (42.0.0+) where the vulnerability is patched. 2. If the component-model-async feature is not required, disable it at compile time by disabling the Cargo feature to avoid exposure. 3. Ensure host embeddings always await the completion of call_async futures before dropping them or reusing the same component instance or Store. 4. Avoid dropping call_async futures prematurely; implement strict lifecycle management for asynchronous calls in the host embedding. 5. Conduct code reviews and static analysis on host applications embedding Wasmtime to detect improper async future handling patterns. 6. Monitor application logs for Wasmtime panics or traps indicative of this issue. 7. For environments using Tokio or other async runtimes, validate that async workflows correctly handle Wasmtime futures. 8. Consider isolating Wasmtime instances per request or user to limit impact scope if a panic occurs. 9. Engage with bytecodealliance community and maintainers for updates and best practices regarding async component usage. 10. Implement robust error handling around Wasmtime calls to gracefully recover from panics where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-18T19:47:02.154Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699e178ab7ef31ef0b4219f4
Added to database: 2/24/2026, 9:26:34 PM
Last enriched: 2/24/2026, 9:41:13 PM
Last updated: 2/25/2026, 12:04:14 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-3134: SQL Injection in itsourcecode News Portal Project
MediumCVE-2026-3133: SQL Injection in itsourcecode Document Management System
MediumCVE-2026-27593: CWE-640: Weak Password Recovery Mechanism for Forgotten Password in statamic cms
CriticalCVE-2026-27117: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in rikyoz bit7z
MediumCVE-2026-27572: CWE-770: Allocation of Resources Without Limits or Throttling in bytecodealliance wasmtime
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.