CVE-2026-22815
Published: 01 April 2026
Summary
CVE-2026-22815 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Aiohttp Aiohttp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of known flaws like CVE-2026-22815 by upgrading AIOHTTP to version 3.13.4 to eliminate uncapped memory usage in header/trailer handling.
Implements denial-of-service protections such as HTTP header size limits and request throttling to prevent memory exhaustion from malformed or oversized headers and trailers.
Enforces limits on resource allocation, including memory, to protect against uncontrolled consumption triggered by excessive HTTP header and trailer data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables application-layer resource exhaustion DoS via crafted HTTP headers/trailers against a public-facing AIOHTTP server.
NVD Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
Deeper analysisAI
CVE-2026-22815 is a vulnerability in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, affecting versions prior to 3.13.4. It arises from insufficient restrictions in header and trailer handling, potentially leading to uncapped memory usage. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation causes high-impact denial of service by triggering memory exhaustion on the targeted server, without compromising confidentiality or integrity.
The vulnerability has been addressed in AIOHTTP version 3.13.4. Mitigation involves upgrading to this patched version, with details available in the security advisory at https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5, release notes at https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4, and the fixing commit at https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36.
Details
- CWE(s)