Cyber Resilience

CVE-2026-31958

HighDDoS

Published: 11 March 2026

Published
11 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 29.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31958 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Tornadoweb Tornado. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31958 is a denial-of-service vulnerability in Tornado, a Python web framework and asynchronous networking library, affecting versions prior to 6.5.5. The issue arises because there is no dedicated limit on the number of parts in multipart/form-data requests beyond the max_body_size setting, which defaults to 100MB. Parsing of these multipart bodies occurs synchronously on the main thread, resulting in high computational costs when processing large bodies with many parts, as documented in CWE-400 (Uncontrolled Resource Consumption).

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction. An attacker can send a crafted multipart/form-data request containing numerous parts while staying within the body size limit, forcing the server to expend excessive resources on synchronous parsing and causing denial of service through CPU exhaustion on the main thread.

Tornado version 6.5.5 resolves this vulnerability. Security advisories recommend upgrading to 6.5.5 or later. Key references include the GitHub security advisory at https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc and the Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html.

EU & UK References

Vulnerability details

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main…

more

thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a remote unauthenticated vulnerability (CWE-400) that is directly exploited by sending a crafted multipart/form-data request to trigger synchronous CPU exhaustion on the main thread, mapping exactly to application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35536Same product: Tornadoweb Tornado
CVE-2024-57076Shared CWE-400
CVE-2025-25293Shared CWE-400
CVE-2025-9283Shared CWE-400
CVE-2025-59440Shared CWE-400
CVE-2026-30998Shared CWE-400
CVE-2026-41135Shared CWE-400
CVE-2025-21270Shared CWE-400
CVE-2024-57074Shared CWE-400
CVE-2025-21087Shared CWE-400

Affected Assets

tornadoweb
tornado
≤ 6.5.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely patching to Tornado 6.5.5 directly remediates the vulnerability by implementing a dedicated limit on multipart/form-data parts.

prevent

Denial-of-service protections limit the impact of CPU exhaustion from synchronous parsing of large multipart bodies with many parts.

prevent

Restrictions on the quantity of information inputs enforce limits on the number of parts in multipart/form-data requests to prevent resource consumption.

References