Vulnerability GHSA-243v-98vx-264h: Information

Description

Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance

Severity: (6.9)
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
URL: https://github.com/advisories/GHSA-243v-98vx-264h
Published: Feb. 25, 2026
Modified: Feb. 27, 2026
Error type identifier: CWE-770

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
wasmtimesisyphus43.0.0-alt143.0.0-alt1ALT-PU-2026-5689-2414049Fixed
wasmtimesisyphus_riscv6443.0.0-alt143.0.0-alt1ALT-PU-2026-7613-1-Fixed
wasmtimesisyphus_loongarch6443.0.0-alt143.0.0-alt1ALT-PU-2026-7551-1-Fixed

Affected packages

Ecosystem
Name
Affected versions
Patched versions
crates.iowasmtime
<24.0.6
>=25.0.0, <36.0.6
>=37.0.0, <40.0.4
24.0.6
36.0.6
40.0.4

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h
  • WEB
https://nvd.nist.gov/vuln/detail/CVE-2026-27572
  • ADVISORY
https://github.com/bytecodealliance/wasmtime/commit/301dc7162cca51def19131019af1187f45901c0a
  • WEB
https://docs.rs/http/1.4.0/http/header/#limitations
  • WEB
https://github.com/bytecodealliance/wasmtime
  • PACKAGE
https://github.com/bytecodealliance/wasmtime/releases/tag/v24.0.6
  • WEB
https://github.com/bytecodealliance/wasmtime/releases/tag/v36.0.6
  • WEB
https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4
  • WEB
https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4
  • WEB
https://rustsec.org/advisories/RUSTSEC-2026-0021.html
  • WEB
CVE-2026-27572
  • CVE
VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
Version: v26.5.1
Back to top