CVE-2026-27195 exposes panic in Wasmtime component model async implementation

CVE-2026-27195 flags a panic in Wasmtime’s component-model async implementation, with the advisory published on February 25, 2026 and classified as medium-severity. The advisory specifically tracks the defect in Wasmtime, the WebAssembly runtime maintained as a core project of the Bytecode Alliance, making the report directly relevant to anyone running component-model workloads on Wasmtime builds.

Wasmtime provides the component model and async execution primitives that many Rust projects and cloud runtimes rely on, and the advisory name CVE-2026-27195 now appears in public vulnerability lists as of February 25, 2026. The published notice describes a panic condition inside the component-model async code path; the advisory text links that panic to functions in Wasmtime’s component-model async implementation rather than to unrelated host bindings or linear memory handling.

Bytecode Alliance stewardship of Wasmtime places this issue in the center of several downstream stacks that embed Wasmtime for sandboxing and modular WebAssembly components. The advisory’s medium severity rating signals an issue serious enough to warrant patching for integrators who deploy component-model async features but not classified as critical across all Wasmtime use cases.

The publication date of February 25, 2026 follows routine responsible disclosure timelines for runtime vulnerabilities, and the advisory is being tracked publicly under the CVE identifier CVE-2026-27195. Because Wasmtime is widely packaged and bundled into other tooling, packagers and integrators should record that CVE-2026-27195 affects the component-model async implementation specifically rather than core wasm instantiation alone.

For maintainers and operators, the immediate fact is concrete: CVE-2026-27195 names Wasmtime and the component-model async implementation, and the advisory was released February 25, 2026 with a medium-severity classification. That specificity gives downstream teams a reproducible starting point for triage centered on Wasmtime component-model async code paths and for coordinating updates across releases that include Wasmtime as a core dependency.

Expect follow-up from Bytecode Alliance and the Wasmtime maintainers as they annotate affected versions and publish fixes; CVE-2026-27195 will be the label downstream packagers and CI pipelines use to gate upgrades and to validate that component-model async workloads no longer trigger the described panic.