CVE Catalog

CVE-2026-54280

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

In the AIOHTTP library before version 3.14.1, payload resources are not properly closed when a client disconnects during a write operation. This can lead to temporary resource exhaustion, such as open file handles, until they are released by garbage collection.

Risk Assessment

An attacker can intentionally disconnect while sending data, causing limited resources (e.g., file handles) to be locked, leading to denial of service (DoS) for other users.

Recommendation

Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix that closes resources upon client disconnection.

Original NVD description (English source)

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS