CVE-2026-34513

High

Published: 01 April 2026

Published

01 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 17.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34513 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Aiohttp Aiohttp. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely flaw remediation, such as upgrading AIOHTTP to version 3.13.4 to fix the unbounded DNS cache vulnerability.

SC-5 Denial-of-service Protection good match

prevent

Implements denial-of-service protections to mitigate memory exhaustion attacks triggered by repeated DNS resolutions in AIOHTTP.

SC-6 Resource Availability partial match

preventdetect

Protects resource availability by monitoring and limiting memory usage against unbounded cache growth leading to DoS.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The unbounded DNS cache vulnerability enables remote exploitation via crafted requests to exhaust memory and crash the application, directly mapping to application or system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.

Deeper analysisAI

CVE-2026-34513 is a vulnerability in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, affecting versions prior to 3.13.4. The issue involves an unbounded DNS cache (CWE-770) that can lead to excessive memory usage, potentially resulting in a denial-of-service condition. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. By inducing repeated DNS resolutions, such as through crafted HTTP requests to a server using AIOHTTP or client-side operations, an attacker can cause the DNS cache to grow indefinitely, exhausting system memory and crashing the application.

The vulnerability has been patched in AIOHTTP version 3.13.4. Mitigation involves upgrading to this version or later. Key resources include the patching commit at https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98, the release announcement at https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4, and the GitHub security advisory at https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hcc4-c3v8-rx92.