Bug 2459381 (CVE-2026-40347)

Summary: CVE-2026-40347 python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alinfoot, anpicker, anthomas, aprice, bbrownin, bparees, caswilli, dfreiber, drow, dschmidt, dtrifiro, ebourniv, ehelms, erezende, ggainey, hasun, ilpinto, jburrell, jdobes, jfula, jkoehler, jlanda, jowilson, jsamir, juwatts, jwong, kaycoth, kshier, lgallett, lphiri, ltomasbo, mbarnett, mhayden, mhulan, nmoumoul, nyancey, oezr, omaciel, ometelka, orabin, osousa, pcreech, ptisnovs, rbryant, rchan, rjohnson, sbunciak, sdoran, simaishi, smallamp, smcdonal, stcannon, syedriko, teagle, tmalecek, ttakamiy, vkumar, weaton, xdharmai, yguenane, ykashtan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Python-Multipart, a tool for processing web form data. A remote attacker could exploit this vulnerability by sending specially crafted web requests. These requests, containing unusually large sections of data before or after the main content, could cause the system to become unresponsive. This leads to a denial of service, preventing legitimate users from accessing the service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-18 01:01:28 UTC
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.