CVE-2026-27195: Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
The affected versions of Wasmtime can panic if the host embedder drops the future returned by wasmtime::component::[Typed]Func::call_async before it resolves.
References
- bytecodealliance.zulipchat.com/
- github.com/advisories/GHSA-xjhv-v822-pf94
- github.com/bytecodealliance/wasmtime
- github.com/bytecodealliance/wasmtime/commit/9e51c0d9a240a9613d279c061f82286bd11383fd
- github.com/bytecodealliance/wasmtime/commit/d86b00736b9ece60b3c81e52f7a7e4cdd9f7d895
- github.com/bytecodealliance/wasmtime/releases/tag/v40.0.4
- github.com/bytecodealliance/wasmtime/releases/tag/v41.0.4
- github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94
- nvd.nist.gov/vuln/detail/CVE-2026-27195
Code Behaviors & Features
Detect and mitigate CVE-2026-27195 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →