CVE-2026-54274
Undergoing Analysis Undergoing Analysis - In Progress
Memory Exhaustion in AIOHTTP via Incomplete WebSocket Frames

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54274
EUVD
EUVD-2026-38311
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aiohttp aiohttp to 3.14.0 (inc)
aiohttp aiohttp 3.14.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-54274 is a vulnerability in the aiohttp library, an asynchronous HTTP client/server framework for Python. Prior to version 3.14.1, if an attacker sends large incomplete WebSocket frame payloads, they can bypass the usual size limits on memory usage.

This happens because the library did not properly enforce message size limits before buffering payload data, allowing oversized messages to be processed and consume excessive memory.

The vulnerability was fixed in version 3.14.1 by improving WebSocket security checks, including stricter message size validation and rejecting invalid opcodes early.

Impact Analysis

This vulnerability can allow an attacker to perform a denial-of-service (DoS) attack on a server using aiohttp WebSocket endpoints by sending large incomplete WebSocket frames that bypass memory size limits.

As a result, the server may consume excessive memory, potentially leading to degraded performance, crashes, or unavailability of the service.

Detection Guidance

This vulnerability involves incomplete or oversized WebSocket frame payloads that bypass usual memory size limits, potentially leading to denial-of-service conditions.

Detection can focus on monitoring WebSocket traffic for unusually large or fragmented frames, unexpected or reserved opcodes, and incomplete payloads that do not conform to protocol expectations.

While no specific commands are provided in the resources, network administrators can use packet capture tools like tcpdump or Wireshark to filter and analyze WebSocket frames for anomalies such as oversized payloads or reserved opcode usage.

  • Use tcpdump to capture WebSocket traffic on the relevant port (e.g., 80 or 443): tcpdump -i <interface> port 80 or port 443 -w websocket.pcap
  • Analyze the capture with Wireshark, applying filters to inspect WebSocket frames for large payload sizes or fragmented frames.
  • Monitor server logs or application logs for protocol errors or memory usage spikes related to WebSocket connections.
Mitigation Strategies

The primary mitigation step is to upgrade the aiohttp library to version 3.14.1 or later, where this vulnerability has been fixed.

This update includes stricter WebSocket frame size validation, rejection of reserved or unexpected opcodes, and improved protocol compliance checks to prevent memory exhaustion attacks.

If upgrading immediately is not possible, consider implementing network-level protections such as limiting WebSocket frame sizes, monitoring and blocking suspicious WebSocket traffic, and applying rate limiting to reduce the risk of denial-of-service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart