CVE-2026-54277
Undergoing Analysis Undergoing Analysis - In Progress
Memory Exhaustion in AIOHTTP via Oversized HTTP Lines

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS. This vulnerability is fixed in 3.14.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54277
EUVD
EUVD-2026-38314
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aio-libs aiohttp to 3.14.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-54277 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The CVE-2026-54277 vulnerability is a flaw in the aiohttp library's C HTTP parser where the maximum allowed line size (max_line_size) check can be bypassed. This happens because the parser checks each fragment of a line individually rather than the total length of the entire line. An attacker can exploit this by splitting an oversized HTTP request line across multiple fragments, causing the parser to accept lines that exceed the configured maximum size without raising an error.

This flaw specifically affects the default optimized C parser used in pre-built wheels of aiohttp versions prior to 3.14.1. The issue allows sending oversized lines through the HTTP parser, which can lead to excessive memory consumption.

Impact Analysis

This vulnerability can impact you by allowing an attacker to send oversized HTTP request lines that bypass size checks, causing the aiohttp server or client to consume an excessive amount of memory.

The excessive memory usage can lead to a denial-of-service (DoS) condition, where the affected application becomes unresponsive or crashes due to resource exhaustion.

Detection Guidance

This vulnerability involves sending oversized HTTP request lines that are fragmented to bypass the max_line_size check in the aiohttp C parser. Detection would involve monitoring HTTP traffic for unusually long or fragmented request lines that exceed typical size limits.

Since the vulnerability exploits fragmented HTTP request lines, network detection could focus on inspecting HTTP requests for lines that are split across multiple TCP segments but cumulatively exceed normal length limits.

Specific commands are not provided in the resources, but general approaches include using network packet capture tools like tcpdump or Wireshark to capture HTTP traffic and then analyzing for fragmented HTTP lines exceeding normal size thresholds.

  • Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -s 0 -w capture.pcap port 80 or port 443
  • Analyze the capture with Wireshark or tshark to look for HTTP request lines fragmented across multiple packets and check their combined length.
  • Use custom scripts or tools to parse HTTP requests and detect lines exceeding typical max_line_size values, especially if fragmented.
Mitigation Strategies

The primary mitigation step is to upgrade the aiohttp library to version 3.14.1 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, consider disabling or avoiding the use of the default C parser in aiohttp, although this is not explicitly detailed in the resources.

Monitor and limit the size of HTTP request lines at the application or network level to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54277. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart