CVE-2026-27195 — Panic when dropping a `[Typed]Func::call_async` future

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xjhv-v822-pf94 For more information see the GitHub-hosted security advisory.

How to fix CVE-2026-27195

To remediate CVE-2026-27195, upgrade the affected package to a fixed version below.

crates.io/wasmtime—upgrade to 40.0.4 or later
crates.io/wasmtime—upgrade to 40.0.4 or later

Is CVE-2026-27195 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 39.0.0, < 40.0.4
>= 39.0.0, < 40.0.4, >= 41.0.0, < 41.0.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-27195
PATCHcrates.io/crates/wasmtime
PATCHgithub.com/bytecodealliance/wasmtime
WEBbytecodealliance.zulipchat.com/#narrow/channel/206238-general/topic/.E2.9C.94.20Panic.20in.20Wasmtime.2041.2E0.2E3.20.28runtime.2Fconcurrent.2Fcomponent.29/with/574438798