Bug 2447059 (CVE-2026-28356)

Summary: CVE-2026-28356 multipart: denial of service via maliciously crafted HTTP or multipart segment headers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, alinfoot, anpicker, anthomas, aprice, bbrownin, bparees, dfreiber, drow, dschmidt, dtrifiro, ebourniv, ehelms, erezende, ggainey, hasun, jburrell, jdobes, jfula, jkoehler, jlanda, jowilson, jsamir, juwatts, jwong, kaycoth, kshier, lgallett, lphiri, mhayden, mhulan, nmoumoul, nyancey, oezr, omaciel, ometelka, orabin, osousa, pcreech, ptisnovs, rbryant, rchan, sbunciak, sdoran, simaishi, smallamp, smcdonal, stcannon, syedriko, teagle, tmalecek, ttakamiy, vkumar, weaton, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in multipart. The parse_options_header function in multipart.py uses a regular expression with an ambiguous alternation, causing an exponential backtracking (ReDoS) when parsing a specially crafted HTTP or multipart segment headers. A web application parsing request headers or multipart/form-data streams can block request handling threads for multiple seconds per request, eventually resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2447328    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-12 18:02:20 UTC 
multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.