CVE-2026-34517

ADVISORY - github

Summary

For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.

Impact

If an application uses Request.post() an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.

Patch: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145

EPSS Score⁠: 0.0004 (0.122)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-770⁠

Allocation of Resources Without Limits or Throttling

ADVISORY - github

CWE-770⁠

Allocation of Resources Without Limits or Throttling

ADVISORY - redhat

CWE-770⁠

Allocation of Resources Without Limits or Throttling

Impacted images

Advisories

NIST

CREATED

3 days ago

UPDATED

1 day ago

ADVISORY IDCVE-2026-34517⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-770⁠

CVSS SCORE

2.7low

GitHub

CREATED

3 days ago

UPDATED

3 days ago

ADVISORY IDGHSA-3wq7-rqq7-wx6j⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-770⁠

CVSS SCORE

2.7low

Debian

CREATED

2 days ago

UPDATED

2 days ago

ADVISORY IDCVE-2026-34517⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

2 days ago

UPDATED

2 days ago

ADVISORY IDCVE-2026-34517⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Red Hat

CREATED

3 days ago

UPDATED

3 days ago

ADVISORY IDCVE-2026-34517⁠

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-770⁠

CVSS SCORE

3.7low

Chainguard

CREATED

1 day ago

UPDATED

1 day ago

ADVISORY ID

CGA-9cx2-jhh7-fj48

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY