Bug 2491443 (CVE-2026-53540)

Summary: CVE-2026-53540 python-multipart: Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alinfoot, anpicker, anthomas, aprice, bbrownin, bparees, dfreiber, drow, dschmidt, dtrifiro, ehelms, fdeutsch, ggainey, hasun, ilpinto, jburrell, jdobes, jfula, jkoehler, jlanda, jowilson, jpasqual, jsamir, juwatts, jwong, kaycoth, kshier, lphiri, ltomasbo, mbarnett, mhayden, mhulan, nmoumoul, nyancey, oezr, omaciel, ometelka, orabin, oramraz, osousa, pcreech, prwatson, ptisnovs, rbryant, rchan, rjohnson, sdoran, simaishi, smallamp, smullick, stcannon, stirabos, syedriko, teagle, thason, tmalecek, ttakamiy, vkumar, weaton, xdharmai, yguenane, ykashtan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2495855    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-22 18:01:40 UTC
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.