Bug 2418078 (CVE-2025-13836) - CVE-2025-13836 cpython: Excessive read buffering DoS in http.client
Summary: CVE-2025-13836 cpython: Excessive read buffering DoS in http.client
Keywords:
Status: NEW
Alias: CVE-2025-13836
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2428927 2428929 2428931 2428939 2428941 2428928 2428930 2428932 2428933 2428934 2428935 2428936 2428937 2428938 2428940 2428942 2428943 2428944 2428945 2428946 2428947 2428948
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-01 19:01 UTC by OSIDB Bzimport
Modified: 2026-02-05 11:54 UTC (History)
18 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:1374 0 None None None 2026-01-27 15:10:55 UTC
Red Hat Product Errata RHSA-2026:1408 0 None None None 2026-01-27 17:17:45 UTC
Red Hat Product Errata RHSA-2026:1410 0 None None None 2026-01-27 17:23:36 UTC
Red Hat Product Errata RHSA-2026:1828 0 None None None 2026-02-03 15:30:55 UTC
Red Hat Product Errata RHSA-2026:1892 0 None None None 2026-02-04 19:33:47 UTC
Red Hat Product Errata RHSA-2026:1893 0 None None None 2026-02-04 19:44:10 UTC
Red Hat Product Errata RHSA-2026:1922 0 None None None 2026-02-04 15:00:27 UTC
Red Hat Product Errata RHSA-2026:2084 0 None None None 2026-02-05 11:54:12 UTC

Description OSIDB Bzimport 2025-12-01 19:01:30 UTC 
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.
Comment 2 errata-xmlrpc 2026-01-27 15:10:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1374 https://access.redhat.com/errata/RHSA-2026:1374
Comment 3 errata-xmlrpc 2026-01-27 17:17:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1408 https://access.redhat.com/errata/RHSA-2026:1408
Comment 4 errata-xmlrpc 2026-01-27 17:23:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1410 https://access.redhat.com/errata/RHSA-2026:1410
Comment 5 errata-xmlrpc 2026-02-03 15:30:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1828 https://access.redhat.com/errata/RHSA-2026:1828
Comment 6 errata-xmlrpc 2026-02-04 15:00:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:1922 https://access.redhat.com/errata/RHSA-2026:1922
Comment 7 errata-xmlrpc 2026-02-04 19:33:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:1892 https://access.redhat.com/errata/RHSA-2026:1892
Comment 8 errata-xmlrpc 2026-02-04 19:44:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:1893 https://access.redhat.com/errata/RHSA-2026:1893
Comment 9 errata-xmlrpc 2026-02-05 11:54:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:2084 https://access.redhat.com/errata/RHSA-2026:2084
Note You need to log in before you can comment on or make changes to this bug.