| Name | CVE-2026-54274 |
| Description | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| python-aiohttp (PTS) | bullseye | 3.7.4-1 | vulnerable |
| bullseye (security) | 3.7.4-1+deb11u2 | vulnerable | |
| bookworm, bookworm (security) | 3.8.4-1+deb12u1 | vulnerable | |
| trixie (security), trixie | 3.11.16-1+deb13u1 | vulnerable | |
| forky | 3.14.1-3 | fixed | |
| sid | 3.14.1-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| python-aiohttp | source | (unstable) | 3.14.1-1 |
[trixie] - python-aiohttp <no-dsa> (Minor issue)
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989
Fixed by: https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d (v3.14.1)