Wasmtime is a popular runtime for executing WebAssembly (Wasm) modules, supporting WASI (WebAssembly System Interface) host interfaces that allow guest modules to request system resources. CVE-2026-27204 identifies a vulnerability where Wasmtime versions prior to 24.0.6, 36.0.6, 40.0.4, and 41.0.4 do not impose adequate limits on resource allocations requested by guest Wasm modules. This lack of resource control enables a malicious or compromised guest to consume excessive CPU, memory, or other system resources on the host, leading to uncontrolled resource exhaustion. The vulnerability is categorized under CWE-400 (Uncontrolled Resource Consumption), CWE-770 (Allocation of Resources Without Limits or Throttling), CWE-774 (Allocation of File Descriptors or Handles Without Limits or Throttling), and CWE-789 (Uncontrolled Memory Allocation). Although fixed versions have been released, the default configurations in these versions do not activate the resource limiting features to avoid breaking existing applications. Wasmtime 42.0.0 and later versions enable these protective limits by default. No known workarounds exist other than upgrading and configuring the runtime to enforce resource constraints. The vulnerability requires at least partial authentication and some user interaction, with a network attack vector, making exploitation feasible in scenarios where untrusted Wasm code is executed. There are no known exploits in the wild at this time.

The primary impact of CVE-2026-27204 is denial of service caused by resource exhaustion on hosts running vulnerable Wasmtime versions. Organizations embedding Wasmtime to run WebAssembly modules, especially those executing untrusted or third-party code, face risks of service degradation or outages. This can affect cloud platforms, edge computing environments, serverless functions, and any infrastructure leveraging Wasmtime for Wasm execution. The uncontrolled resource consumption can lead to CPU spikes, memory exhaustion, or file descriptor depletion, potentially crashing the host process or causing system instability. This disrupts availability and may indirectly affect confidentiality and integrity if system failures lead to broader security issues. Given Wasmtime's growing adoption in cloud-native and edge scenarios, the vulnerability could impact a wide range of industries including technology providers, financial services, telecommunications, and government agencies. The absence of known exploits reduces immediate risk, but the medium severity and ease of exploitation warrant prompt remediation to prevent potential attacks.

To mitigate this vulnerability, organizations should upgrade all Wasmtime deployments to version 42.0.0 or later, where resource limiting knobs are enabled by default. For environments unable to upgrade immediately, it is critical to manually configure Wasmtime embeddings to enforce strict resource limits on CPU, memory, and file descriptor usage for guest modules. Embedders should audit their Wasmtime configurations to ensure that resource consumption controls are active and properly tuned to their operational requirements. Additionally, restrict execution of untrusted or third-party WebAssembly modules unless absolutely necessary, and implement monitoring to detect abnormal resource usage patterns indicative of exploitation attempts. Employ runtime isolation techniques such as containerization or sandboxing to limit the impact of resource exhaustion on the broader system. Regularly review Wasmtime release notes and security advisories for updates or additional mitigations. Since no workarounds exist without upgrading, prioritizing timely patching is essential.