How Hyperlight Wasm Enables Near-Instant, Secure Serverless Apps on Windows and Linux

Microsoft has recently previewed Hyperlight Wasm, a lightweight virtual machine manager that runs on both Windows and Linux.

Hyperlight Wasm merges a micro‑VM with a WebAssembly runtime, achieving startup times of only a few milliseconds and providing two‑layer isolation for secure execution of untrusted code.

Based on a fork of the Hyperlight project, it is a Rust‑built VMM that can launch a virtual machine without a kernel or operating system, exposing only a minimal Hyperlight Guest Library API.

It is described as an emerging project optimized for safely running untrusted code with minimal impact.

Architecture

The basic architecture is illustrated below:

New Features

Hyperlight Wasm adds the Wasmtime WebAssembly runtime (from the Bytecode Alliance), creating a platform that can run applications written in any language supported by Wasmtime, including Rust, C, C++, Python, JavaScript, C#, Go, and Ruby.

The advantage is that it layers VM‑level security on top of Wasmtime’s sandbox, delivering ultra‑fast startup while maintaining strong isolation from the host OS.

According to Microsoft developer operations director Yosh Wuyts and software engineer/researcher Lucy Menon, launching a VM and running a Wasmtime application currently takes 1–2 ms, and they aim to reduce this to under 1 ms, effectively eliminating cold‑start latency for serverless platforms such as Azure Functions.

Hyperlight Wasm could allow on‑demand application instances to scale to zero while still providing rapid load times.

Comparison with Other Runtimes

It resembles Cloudflare Workers, which also offers a lightweight runtime on a global edge network, but Workers rely on V8 isolation. A key distinction is that a virtual machine provides a stricter security boundary than V8 isolates.

Current Limitations

Hyperlight Wasm cannot run on macOS at present; it is limited to Windows and Linux. Additionally, the VMM host does not supply a default WASI implementation, so developers must implement these interfaces themselves. Microsoft plans to add default bindings for common WASI APIs (e.g., HTTP server, sockets) soon.

CNCF Donation

The Hyperlight project has been donated to the Cloud Native Computing Foundation (CNCF) and will become part of the CNCF Sandbox, the most experimental category of CNCF projects. Hyperlight Wasm is now open‑source under the Apache 2.0 license.

Conclusion

While Microsoft’s initiative is not yet production‑ready, it demonstrates strong demand for runtimes that are lighter than containers yet offer VM‑level security and near‑instant startup.