CVE-2026-27572 is a resource allocation vulnerability classified under CWE-770, affecting the Wasmtime WebAssembly runtime developed by bytecodealliance. Specifically, the issue lies in the implementation of the wasi:http/types.fields resource within the wasmtime-wasi-http crate. This resource manages HTTP header fields using a data structure that panics when it exceeds a certain capacity limit. Prior to the patched versions (24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0), Wasmtime did not gracefully handle this panic condition, resulting in an unhandled panic that causes the runtime to terminate unexpectedly. Since Wasmtime is often embedded in applications to execute WebAssembly modules, such a panic translates into a Denial of Service (DoS) vector, disrupting the availability of the host application. The vulnerability can be triggered by adding an excessive number of HTTP header fields, which may be possible through crafted input or malicious WebAssembly modules. The fix implemented in the patched versions replaces the panic with a trap returned to the guest module, preventing the runtime from crashing. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the network attack vector, low attack complexity, partial privileges required, and user interaction needed. There are no known exploits in the wild, and no alternative mitigations besides upgrading to a patched version.

The primary impact of CVE-2026-27572 is Denial of Service, which can disrupt the availability of applications embedding Wasmtime to run WebAssembly modules. This can affect services relying on Wasmtime for HTTP-related WebAssembly workloads, potentially causing application crashes or service outages. Since the vulnerability triggers a panic in the runtime, it may lead to unexpected termination of processes, impacting reliability and uptime. Although confidentiality and integrity are not directly compromised, the availability impact can be significant for critical systems or high-availability environments. Organizations deploying Wasmtime in network-facing or multi-tenant environments are at higher risk, as attackers could exploit this by sending crafted inputs to induce panics. The medium severity rating indicates a moderate risk, but the ease of exploitation and lack of workarounds elevate the urgency for patching. Disruption could affect cloud providers, edge computing platforms, and any service leveraging Wasmtime for WebAssembly execution.

The definitive mitigation for CVE-2026-27572 is to upgrade Wasmtime to one of the patched versions: 24.0.6, 36.0.6, 40.0.4, 41.0.4, or 42.0.0, depending on the current version in use. Embedders should verify their Wasmtime version and apply updates promptly. Since no workarounds exist, organizations should also audit their usage of the wasi:http/types.fields resource to identify potential exposure. Implement input validation or rate limiting on HTTP headers passed to WebAssembly modules to reduce the risk of triggering excessive header fields. Additionally, embedding applications should implement robust error handling around Wasmtime invocations to gracefully recover from unexpected traps or panics. Monitoring Wasmtime logs for panic events can help detect attempted exploitation. Finally, coordinate with development teams to ensure that WebAssembly modules do not generate excessive headers and consider sandboxing or isolating Wasmtime instances to limit blast radius in case of DoS.