OESA-2026-2839

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2839
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2839.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2839
Upstream
Published
2026-07-06T06:27:41Z
Modified
2026-07-06T06:45:18.332125646Z
Summary
python-aiohttp security update
Details

Async http client/server framework (asyncio).

Security Fix(es):

No limit was present on the number of pipelined requests that could be queued. Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS.(CVE-2026-54273)

If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use(CVE-2026-54274)

If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.(CVE-2026-54275)

If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest.

This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse.(CVE-2026-54276)

It is possible to bypass the maxlinesize check in parts of an HTTP request in the C parser. Impact If using the optimized C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS.(CVE-2026-54277)

An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).(CVE-2026-54278)

Host-only cookies If you save a cookie and later restore it, you lose the host-only status. CookieJar.save()CookieJar.load() affects host-only cookies loaded from disk that may be sent to subdomains that should previously have been banned(CVE-2026-54279)

Payload resources are not closed correctly when a client disconnects in the middle of a write. Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file.(CVE-2026-54280)

Database specific
{
    "severity": "Medium"
}
References

Affected packages

openEuler:24.03-LTS-SP1 / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:rpm/openEuler/python-aiohttp&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.14.1-1.oe2403sp1

Ecosystem specific

{
    "aarch64": [
        "python-aiohttp-debuginfo-3.14.1-1.oe2403sp1.aarch64.rpm",
        "python-aiohttp-debugsource-3.14.1-1.oe2403sp1.aarch64.rpm",
        "python-aiohttp-help-3.14.1-1.oe2403sp1.aarch64.rpm",
        "python3-aiohttp-3.14.1-1.oe2403sp1.aarch64.rpm"
    ],
    "src": [
        "python-aiohttp-3.14.1-1.oe2403sp1.src.rpm"
    ],
    "x86_64": [
        "python-aiohttp-debuginfo-3.14.1-1.oe2403sp1.x86_64.rpm",
        "python-aiohttp-debugsource-3.14.1-1.oe2403sp1.x86_64.rpm",
        "python-aiohttp-help-3.14.1-1.oe2403sp1.x86_64.rpm",
        "python3-aiohttp-3.14.1-1.oe2403sp1.x86_64.rpm"
    ]
}

Database specific

source
"https://repo.openeuler.org/security/data/osv/OESA-2026-2839.json"