SB2026071602 - SUSE update for python-aiohttp



SB2026071602 - SUSE update for python-aiohttp

Published: July 16, 2026

Security Bulletin ID SB2026071602
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 91% Low 9%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-22815)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in header/trailer handling when processing an attacker-controlled request or response. A remote attacker can send a specially crafted request or response to cause a denial of service.


2) Resource exhaustion (CVE-ID: CVE-2026-34513)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in TCPConnector DNS cache when handling requests to a very large number of hosts. A remote attacker can cause an application to make requests to many different hosts to cause a denial of service.


3) CRLF injection (CVE-ID: CVE-2026-34514)

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject extra headers into a multipart request.

The vulnerability exists due to improper neutralization of carriage return and line feed characters in multipart part content type header construction when constructing a multipart request with an attacker-controlled content_type parameter. A remote attacker can supply a crafted content_type value to inject extra headers into a multipart request.

The issue occurs if an application uses untrusted data for the multipart content_type parameter while constructing a request.


4) Input validation error (CVE-ID: CVE-2026-34516)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in multipart header processing when parsing a response with an excessive number of multipart headers. A remote attacker can send a specially crafted response to cause a denial of service.

Other restrictions in place limit the impact of this vulnerability.


5) Resource exhaustion (CVE-ID: CVE-2026-34517)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in Request.post() when processing specially crafted multipart form fields. A remote attacker can send a specially crafted multipart request to cause a denial of service.

The issue affects non-file multipart fields that are read into memory before the client_max_size check is enforced.


6) Information disclosure (CVE-ID: CVE-2026-34518)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in redirect handling when following redirects to a different origin. A remote attacker can trigger a cross-origin redirect to disclose sensitive information.

Cookie and Proxy-Authorization headers are retained while the Authorization header is dropped during the redirect.


7) HTTP response splitting (CVE-ID: CVE-2026-34519)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject extra headers into an HTTP response.

The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in the Response reason parameter when creating a response with untrusted reason data. A remote attacker can supply a crafted reason value containing carriage return characters to inject extra headers into an HTTP response.

The issue is exploitable only if an application uses untrusted data in the response reason parameter.


8) HTTP response splitting (CVE-ID: CVE-2026-34520)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass security controls.

The vulnerability exists due to improper neutralization of control characters in HTTP response headers in the C parser (llhttp) when processing response header values. A remote attacker can send specially crafted header values to bypass security controls.

The issue can cause header values to be interpreted differently than expected by application logic or intermediary components such as reverse proxies.


9) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-34525)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to bypass a security check and access a privileged sub application.

The vulnerability exists due to inconsistent interpretation of HTTP requests in Host header handling when processing requests with multiple Host headers through a reverse proxy. A remote attacker can send a specially crafted request with duplicate Host headers to bypass a security check and access a privileged sub application.

Exploitation is theoretically possible when a reverse proxy applies security rules based on the target Host and the application uses Application.add_domain().


10) Deserialization of Untrusted Data (CVE-ID: CVE-2026-34993)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in CookieJar.load() when loading untrusted input. A local privileged user can supply a crafted file to execute arbitrary code.

User interaction is required to load the crafted file.


11) Improper access control (CVE-ID: CVE-2026-47265)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in request redirect handling when following a cross-origin redirect after setting per-request cookies. A remote attacker can control a redirect to disclose sensitive information.

The issue occurs only when cookies are supplied through the per-request cookies parameter.


Remediation

Install update from vendor's website.