Vulnerability GHSA-xjhv-v822-pf94: Information

Description

Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future

Severity: (6.9)
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
URL: https://github.com/advisories/GHSA-xjhv-v822-pf94
Published: Feb. 24, 2026
Modified: Feb. 27, 2026
Error type identifier: CWE-755

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
wasmtimesisyphus43.0.0-alt143.0.0-alt1ALT-PU-2026-5689-2414049Fixed
wasmtimesisyphus_riscv6443.0.0-alt143.0.0-alt1ALT-PU-2026-7613-1-Fixed
wasmtimesisyphus_loongarch6443.0.0-alt143.0.0-alt1ALT-PU-2026-7551-1-Fixed

Affected packages

Ecosystem
Name
Affected versions
Patched versions
crates.iowasmtime
>=39.0.0, <40.0.4
>=41.0.0, <41.0.4
40.0.4
41.0.4

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94
  • WEB
https://nvd.nist.gov/vuln/detail/CVE-2026-27195
  • ADVISORY
https://github.com/bytecodealliance/wasmtime/commit/9e51c0d9a240a9613d279c061f82286bd11383fd
  • WEB
https://github.com/bytecodealliance/wasmtime/commit/d86b00736b9ece60b3c81e52f7a7e4cdd9f7d895
  • WEB
https://bytecodealliance.zulipchat.com/#narrow/channel/206238-general/topic/.E2.9C.94.20Panic.20in.20Wasmtime.2041.2E0.2E3.20.28runtime.2Fconcurrent.2Fcomponent.29/with/574438798
  • WEB
https://github.com/bytecodealliance/wasmtime
  • PACKAGE
https://github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4
  • WEB
https://github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4
  • WEB
https://rustsec.org/advisories/RUSTSEC-2026-0022.html
  • WEB
CVE-2026-27195
  • CVE
VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
Version: v26.5.1
Back to top