CVE-2026-27572 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting Wasmtime, a popular WebAssembly runtime developed by the bytecodealliance. The flaw exists in Wasmtime's implementation of the wasi:http/types.fields resource, which manages HTTP header fields in WebAssembly System Interface (WASI) HTTP requests. Internally, Wasmtime uses a data structure within the wasmtime-wasi-http crate to store these header fields. When an excessive number of fields are added, this data structure reaches its capacity and triggers a panic. This panic is not gracefully handled by Wasmtime, causing the runtime to terminate abruptly. Since Wasmtime is often embedded in other applications to execute WebAssembly modules, such a panic translates into a Denial of Service (DoS) condition for the embedding application. The vulnerability affects multiple Wasmtime versions prior to 24.0.6, 36.0.6, 40.0.4, and 41.0.4, with no known workarounds. The patched versions replace the panic with a controlled trap that safely returns an error to the WebAssembly guest module, preventing the runtime from crashing. Exploitation requires limited privileges and user interaction, but no network authentication is needed. Although no known exploits have been reported in the wild, the vulnerability poses a risk to any system embedding Wasmtime, particularly those processing untrusted or user-supplied HTTP headers in WASI HTTP contexts.

The primary impact of CVE-2026-27572 is Denial of Service (DoS) against applications embedding Wasmtime. By causing the runtime to panic and terminate unexpectedly, attackers can disrupt services relying on Wasmtime to execute WebAssembly modules. This can lead to application downtime, degraded service availability, and potential cascading failures in dependent systems. Since Wasmtime is used in various cloud, edge computing, and serverless environments to run WebAssembly workloads, the vulnerability could affect a wide range of modern applications. The lack of graceful handling of resource exhaustion means that attackers can exploit this by sending crafted requests with excessive HTTP header fields, triggering the panic. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact can be significant for critical infrastructure or high-availability services. Organizations embedding Wasmtime in security-sensitive or production environments may face operational disruptions and potential reputational damage if exploited.

To mitigate CVE-2026-27572, organizations should promptly update Wasmtime to one of the patched versions: 24.0.6, 36.0.6, 40.0.4, 41.0.4, or later releases. This update replaces the panic with a controlled trap, preventing runtime crashes. Embedders should audit their use of Wasmtime, especially where untrusted input is processed via WASI HTTP interfaces, and ensure that input validation or rate limiting is applied to HTTP header fields before passing them to Wasmtime. Implementing application-level throttling or limits on the number of HTTP headers accepted can reduce the risk of triggering resource exhaustion. Monitoring Wasmtime logs and application health metrics for unexpected panics or crashes can help detect exploitation attempts. Additionally, consider isolating Wasmtime execution environments to limit the blast radius of potential DoS attacks. Since no workarounds exist, patching remains the most effective defense. Finally, maintain awareness of Wasmtime updates and security advisories to respond quickly to future vulnerabilities.