CVE-2026-34516
Published: 01 April 2026
Summary
CVE-2026-34516 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Aiohttp Aiohttp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific flaw in AIOHTTP's multipart header processing by requiring timely patching to version 3.13.4.
Implements denial-of-service protections such as resource quotas and throttling to block excessive memory consumption from malicious HTTP responses with numerous multipart headers.
Ensures resource availability by dedicating and limiting memory allocations for HTTP client processing functions to mitigate exhaustion attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote DoS via resource exhaustion (CWE-770) in AIOHTTP client response parsing, directly enabling T1499.004 Application or System Exploitation to crash or impair the target application.
NVD Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue…
more
has been patched in version 3.13.4.
Deeper analysisAI
CVE-2026-34516 is a denial-of-service (DoS) vulnerability in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. In versions prior to 3.13.4, the framework fails to properly limit memory usage when processing a response containing an excessive number of multipart headers, leading to unintended high memory consumption. This issue corresponds to CWE-770 (Allocation of Resources Without Limits or Throttling) and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited by a remote, unauthenticated attacker with network access to a target system using an affected version of AIOHTTP as an HTTP client. By crafting and sending an HTTP response with a large number of multipart headers, the attacker can trigger excessive memory allocation during parsing, potentially causing the application to crash or become unresponsive due to resource exhaustion.
The issue has been addressed in AIOHTTP version 3.13.4, where the fix limits memory usage for multipart header processing. Official advisories and patches are detailed in the GitHub security advisory (GHSA-m5qp-6w8w-w647), the release notes for v3.13.4, and the patching commit (8a74257b3804c9aac0bf644af93070f68f6c5a6f). Security practitioners should prioritize upgrading affected applications to mitigate this risk.
Details
- CWE(s)