Platform
python
Component
aiohttp
Fixed in
3.13.5
3.13.4
CVE-2026-22815 describes a memory exhaustion vulnerability discovered in aiohttp, a Python 3.6+ HTTP client/server framework. This vulnerability arises from insufficient restrictions in header and trailer handling, potentially allowing an attacker to trigger excessive memory usage. The vulnerability affects versions of aiohttp up to and including 3.9.5. A patch addressing this issue has been released in version 3.13.4.
An attacker can exploit this vulnerability by sending specially crafted HTTP requests or responses to a vulnerable aiohttp-powered application. The lack of proper size limitations on headers and trailers can lead to unbounded memory allocation. This can result in a denial-of-service (DoS) condition, where the application exhausts available memory and becomes unresponsive. The impact is particularly severe for applications handling a high volume of requests or processing large headers/trailers. While a typical reverse proxy configuration can mitigate this risk, applications without such protection are directly exposed.
CVE-2026-22815 was publicly disclosed on 2026-04-01. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Exploitation probability is considered low due to the lack of a public PoC, but the potential for DoS makes it a worthwhile target for attackers.
Exploit Status
EPSS
0.05% (16% percentile)
The primary mitigation for CVE-2026-22815 is to upgrade to aiohttp version 3.13.4 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing a reverse proxy (e.g., Nginx, Apache) in front of the aiohttp application. The reverse proxy can be configured to limit the size of headers and trailers, effectively preventing the memory exhaustion attack. Additionally, review application code to ensure efficient handling of HTTP headers and trailers, minimizing memory usage.
Update the version of AIOHTTP to 3.13.4 or higher. This version contains the fix for the memory exhaustion vulnerability due to unlimited trailer header handling.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22815 is a vulnerability in aiohttp versions up to 3.9.5 where insufficient header/trailer handling can lead to memory exhaustion, potentially causing a denial-of-service.
You are affected if you are using aiohttp version 3.9.5 or earlier. Check your installed version using pip freeze or poetry show.
Upgrade to aiohttp version 3.13.4 or later. If immediate upgrade is not possible, implement a reverse proxy to limit header/trailer sizes.
There is no confirmed active exploitation of CVE-2026-22815 at this time, but the potential for DoS warrants attention.
Refer to the aiohttp GitHub repository commit: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.