VDB
CVE-2026-27195
CVE-2026-27195
PUBLISHED
CVSS 6.900000095367432 MEDIUM
Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
EPSS 0.08% · 23.9th percentile
Risk Scores
CVSS v4.0
6.900000095367432
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
EPSS Score
0.08%
23.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| crates.io | wasmtime | 39.0.0, 41.0.0, 39.0.0 |
| bytecodealliance | wasmtime | >= 39.0.0, < 40.0.4, 41.0.0, 39.0.0 |
Timeline
- Feb 24, 2026 CVE Published
- Feb 25, 2026 EPSS Score
- Feb 25, 2026 PoC Published
- Feb 25, 2026 CVE Updated
- Feb 25, 2026 PoC Published
- Feb 26, 2026 EPSS Score
- Feb 28, 2026 EPSS Score
- Mar 1, 2026 EPSS Score
- Mar 3, 2026 EPSS Score
- Mar 4, 2026 EPSS Score
- Mar 6, 2026 EPSS Score
- Mar 7, 2026 EPSS Score
References
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94 url
- https://github.com/bytecodealliance/wasmtime/commit/9e51c0d9a240a9613d279c061f82286bd11383fd url
- https://github.com/bytecodealliance/wasmtime/commit/d86b00736b9ece60b3c81e52f7a7e4cdd9f7d895 url
- https://bytecodealliance.zulipchat.com/#narrow/channel/206238-general/topic/.E2.9C.94.20Panic.20in.20Wasmtime.2041.2E0.2E3.20.28runtime.2Fconcurrent.2Fcomponent.29/with/574438798 url
- https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4 url
- https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-27195 advisory
- https://github.com/bytecodealliance/wasmtime package
- https://rustsec.org/advisories/RUSTSEC-2026-0022.html url