Skip to main content

Red Hat CVE-2026-22815

| EUVDEUVD-2026-18029 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-01 https://github.com/aio-libs/aiohttp GHSA-w2fm-2cpv-w7v5
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 19:45 euvd
EUVD-2026-18029
Analysis Generated
Apr 01, 2026 - 19:45 vuln.today
Patch released
Apr 01, 2026 - 19:45 nvd
Patch available
CVE Published
Apr 01, 2026 - 19:45 nvd
MEDIUM 6.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 122 pypi packages depend on aiohttp (43 direct, 79 indirect)

Ecosystem-wide dependent count for version 3.13.4.

DescriptionGitHub Advisory

Summary

Insufficient restrictions in header/trailer handling could cause uncapped memory usage.

Impact

An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36

AnalysisAI

Memory exhaustion in aiohttp's header and trailer handling allows remote attackers to cause denial of service by sending attacker-controlled HTTP requests or responses with uncapped header/trailer values. The vulnerability affects aiohttp Python library across affected versions, enabling attackers to exhaust application memory without authentication. A mitigation is available via reverse proxy configuration, and upstream patch has been released.

Technical ContextAI

The vulnerability exists in aiohttp (pkg:pip/aiohttp), a popular asynchronous HTTP client/server library for Python, and stems from insufficient validation and restrictions on HTTP header and trailer processing. The root cause is classified as CWE-400 (Uncontrolled Resource Consumption), indicating the application fails to properly limit the size or number of headers and trailers processed during HTTP message parsing. When an HTTP request or response contains headers or trailers without appropriate length constraints, the parser consumes unbounded memory as it accumulates header data, leading to resource exhaustion and denial of service. This is particularly dangerous in server implementations that directly process untrusted HTTP input.

RemediationAI

Upstream fix available via GitHub commit 0c2e9da51126238a421568eb7c5b53e5b5d17b36 in the aio-libs/aiohttp repository; patched release versions should be verified in the GitHub advisory at https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5. Update aiohttp to the patched version once released and verified. As an interim mitigation, deploy aiohttp behind a reverse proxy (nginx, Apache, Caddy, etc.) configured with strict header size and count limits to reject requests exceeding policy thresholds before they reach the application. This proxy-level control prevents unbounded memory consumption even if the application remains on an older version.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Public Cloud 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-22815 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy