Bug 2491456 (CVE-2026-54274)

Summary: CVE-2026-54274 aiohttp: aiohttp: Denial of Service via incomplete websocket frame payloads
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, alinfoot, anpicker, anthomas, aprice, bbrownin, bdettelb, bparees, brasmith, cochase, dfreiber, doconnor, dranck, drow, dschmidt, dtrifiro, ehelms, erezende, ggainey, gtanzill, hasun, ilpinto, jburrell, jbuscemi, jdobes, jfula, jkoehler, jlanda, jmitchel, jowilson, jsamir, juwatts, jwong, kaycoth, kshier, lbrazdil, lichen, ljawale, lphiri, ltomasbo, luizcosta, mbarnett, mhulan, mminar, nmoumoul, nweather, nyancey, oezr, omaciel, ometelka, orabin, osousa, pakotvan, pbohmill, pcreech, ptisnovs, rbiba, rbobbitt, rbryant, rchan, rjohnson, simaishi, smallamp, sskracic, stcannon, sthirugn, syedriko, teagle, tmalecek, tpfromme, ttakamiy, vkumar, weaton, xdharmai, xialiu, yguenane, ykashtan, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in aiohttp, an asynchronous HTTP client/server framework. An attacker can exploit this vulnerability by sending large, incomplete websocket frame payloads. This can bypass normal memory usage limits, potentially leading to a Denial of Service (DoS) where the affected system becomes unavailable.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-22 18:02:30 UTC
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1.