Spin Framework Memory Leak DoS Vulnerability (CVE-2026-27887)

Key Vulnerability Information Vulnerability Overview Description: A memory leak issue has been identified in various WIT interfaces. Identifier: GHSA-mv4f-6ffm-32wx Publisher: fibonacci1729 Publication Date: 2 hours ago Severity Score: 6.9 / 10 (Medium) Affected Software Versions Vulnerability Details Summary: A pattern has been identified where client code can trigger unbounded large-scale resource allocation on the host side, potentially causing host process crashes and serving as a vector for Denial of Service (DoS) attacks. Details: When Spin is configured to allow connections to databases or web servers that return responses of unbounded size, the host process may exhaust memory, panic, and crash before the response is handed off to the client, particularly when attempting to buffer the entire response. Malicious client applications may gradually insert large volumes of data into a database and retrieve it in a single query, leading to excessive host resource allocation. Related APIs: - spin:sqlite - spin:postgres - ferylite:spin/mysql - ferylite:spin/postgres - ferylite:spin/sqlite - ferylite:spin/key-value - ferylite:spin/lite - ferylite:spin/http - ferylite:spin/redis - wasi:keyvalue Remediation Fixed Versions: Spin 3.6.2, SpinKube 0.6.2, and containerd-shim-spin 0.22.1 have patched this issue. Mitigation Measures: Configure Spin to allow access only to trusted databases and HTTP servers that enforce limited response sizes. Impact DoS Attack Vector: Affects all embedders of Spin, all users of SpinKube, and containerd-shim-spin instances running potentially untrusted content and/or allowing access to untrusted databases. Additional Information CVE ID: CVE-2026-27887 Weakness Types: - CWE-770 - CWE-774 - CWE-789

Goal Reached Thanks to every supporter — we hit 100%!

Spin Framework Memory Leak DoS Vulnerability (CVE-2026-27887)

More from this source